To configure devices within a managed realm, administrators use templates and template groups. A template is a basic component that allows you to configure all settings of the managed devices, e.g. an NGFW: network settings, firewall rules, content filtering, intrusion detection system, etc.
Template groups allow multiple templates to be combined into a single configuration that applies to a managed device. Groups simplify centralized management, allowing you to make basic configurations for all device types using one or more templates in the group. Additionally, to configure any UserGate device individually, you can add separate templates with specific settings. The final settings that will apply to a device are generated by merging all settings specified in the templates of a template group based on their location in the group. Thus, you can define template groups based on the firewall's geographical location (e.g., Singapore, Hong Kong, Dubai, etc.) or business function (e.g., a realm with multiple template groups for managing sales office, development office, production, etc.).
This example shows a realm with multiple template groups for managing a UserGate NGFW:
Two types of configurations can be sent to the device:
-
Parameter settings, such as IP addresses of DNS servers.
-
Policy rules, such as firewall or content filtering rules.
The type of configuration controls how the final value is determined. Policy rules are always passed to all devices, and the final policy is a set of all the rules arranged according to their order in the group template. The rules specified in higher templates are placed at the top of the final list of rules on the device.
If the values in different templates of the same template group conflict, the value from the uppermost template applies. Local settings for this parameter are ignored.
The example below shows the final value for a parameter defined in multiple templates:
Templates can contain pre-rules and post-rules. These rules refer to rule locations relative to the rules created by the local UserGate NGFW administrator. Pre-rules always reside higher in the rule list and therefore have higher priority than locally created rules. Post-rules always reside lower than locally created rules and therefore have lower priority. The ability to create the two rule types allows realm administrators to define flexible security policy settings by giving local administrators more rights (with post-rules) or fewer (with pre-rules).
This example demonstrates a final policy when using pre-rules, post-rules, and local rules: