Device management

The Device management section is used to configure the following UGMC settings:

  • Clustering

  • Diagnostics settings

  • Server operations

  • Backup

  • Settings export and import

Clustering and High Availability

UGMC supports two types of clusters:

  1. Configuration cluster. Nodes combined into a configuration cluster support unified configuration within the cluster.

  2. High Availability (HA) cluster. Up to 4 configuration cluster nodes can be combined into a HA cluster that supports the Active-Active or Active-Passive operation modes.

Note When implementing UGMC in high availability mode, you must complete both the configuration cluster settings and the HA cluster settings.

A number of settings are specific to each cluster node, e.g., network interface configuration and IP addressing. The node-specific settings are listed below:

Name

Description

Node-specific settings

Diagnostics settings

Network interface settings

Gateway settings

Routes

To create a configuration cluster, follow these steps:

Name

Description

Шаг 1. Выполнить первоначальную настройку на первом узле кластера.

See the Initial Configuration chapter.

Шаг 2. Настроить на первом узле кластера зону, через интерфейсы которой будет выполняться репликация кластера.

В разделе Зоны создать выделенную зону для репликации настроек кластера. Allow the following services in the zone's settings:

  • Administrative console

  • Cluster.

Do not use zones whose interfaces are connected to untrusted networks (e.g., the Internet) for replication.

Step 3. Specify the IP address that will be used to communicate with other cluster nodes.

In the Device Management section of the Cluster configuration window, select the current cluster node and click the Edit button. Specify the IP address of an interface located in the zone you configured at Step 2.

Шаг 4. Сгенерировать Секретный код на первом узле кластера.

В разделе Управление устройством нажать на кнопку Сгенерировать секретный код. Полученный код скопировать в буфер обмена. This master node secret is required for one-time authorization of a second node before adding it to the cluster.

Step 5. Connect a second node to the cluster.

A second and subsequent nodes are added to the cluster during their initialization. If the initialization has already been performed, reboot the device and perform a factory reset.

Connect to the web console of the second cluster node and select the installation language.

Specify the network interface that will be used to connect to the first cluster node and assign it an IP address. Both cluster nodes must reside in the same subnet --- e.g., as is the case when the port2 interfaces of the two nodes are assigned IP addresses 192.168.100.5/24 and 192.168.100.6/24, respectively. Otherwise, you need to specify the IP address of the gateway through which the first cluster node will be accessible.

Specify the IP address of the first node configured at Step 3, enter the master node secret, and press the Connect button. If the IP addresses of the cluster configured at Step 2 are assigned correctly, the second node will be added to the cluster, and all the settings from the first cluster node will be replicated on the second one.

Шаг 6. Назначить зоны интерфейсам второго узла.

В веб-консоли второго узла кластера в разделе Сеть ➜ Интерфейсы необходимо назначить каждому интерфейсу корректную зону. The zones and their settings are obtained as a result of data replication from the first cluster node.

Шаг 7. Настроить параметры, индивидуальные для каждого узла кластера (опционально).

Configure the gateways, routes, and other settings specific to each cluster node.

Up to four configuration cluster nodes can be combined into a HA cluster. There can be multiple HA clusters. Поддерживаются 2 режима --- Актив-Актив и Актив-Пассив.

В режиме Актив-Пассив один из серверов выступает в роли Мастер-узла, обрабатывающего трафик, а остальные --- в качестве резервных. One or more virtual IP addresses are specified for the cluster. The virtual addresses are switched from the master node to one of the backup nodes under the following circumstances:

  • A backup server gets no confirmation that the master instance is online --- for example, if it is offline or the nodes are unavailable on the network.

  • Internet connectivity checking is configured on the master instance.

  • A software fault has occurred in UserGate.

Ниже представлен пример сетевой диаграммы отказоустойчивого кластера в режиме Актив-Пассив. The network interfaces are configured as follows:

  • Зона Trusted: IP1, IP2, IP3, IP4 и IP cluster (Trusted).

  • Зона Management: интерфейсы в зоне Management используются для управления узлами UGMC.

image7

The cluster IP address resides on the UGMC 1 node. If the UGMC 1 node goes offline, the cluster IP address will migrate to the next server, which becomes the master --- e.g., UGMC 2.

В режиме Актив-Актив один из серверов выступает в роли Мастер-узла, распределяющего трафик на все остальные узлы кластера. Since the cluster IP address resides on the master node, that node responds to client ARP requests. By consecutively serving MAC addresses of all HA cluster nodes, the master node ensures uniform traffic distribution between all cluster nodes taking account of the need to provide user session continuity. One or more virtual IP addresses are specified for the cluster. The master role is assumed by one of the backup nodes under the following circumstances:

  • A backup server gets no confirmation that the master instance is online --- for example, if it is offline or the nodes are unavailable on the network.

  • Internet connectivity checking is configured on the master instance.

  • A software fault has occurred in UserGate.

Ниже представлен пример сетевой диаграммы отказоустойчивого кластера в режиме Актив-Актив. The network interfaces are configured as follows:

  • Зона Trusted: IP1, IP2, IP3, IP4 и IP cluster (Trusted).

  • Зона Management: интерфейсы в зоне Management используются для управления узлами UGMC.

image8

The cluster IP address resides on the UGMC 1 node, which is the master. The traffic is distributed between all cluster nodes. If the UGMC 1 node goes offline, the master role and the cluster IP address will migrate to the next server, e.g., UGMC 2.

To create a HA cluster, follow these steps:

Name

Description

Step 1. Create a configuration cluster.

Create a configuration cluster as described in the previous step.

Шаг 2. Настроить зоны, интерфейсы которых будут участвовать в отказоустойчивом кластере.

In the Zones section, you should allow the VRRP service for all zones where virtual cluster IP addresses are to be added (the Trusted zone on the above diagrams).

Step 3. Create a HA cluster.

In the Device management ➜ HA cluster section, click Add and configure the settings for the new HA cluster.

The settings for a HA cluster are listed below:

Name

Description

Enabled

Enable or disable the HA cluster.

Name

The name of the HA cluster.

Description

A description of the HA cluster.

Mode

The HA cluster operating mode:

  • Active-Active: the load is distributed between all cluster nodes.

  • Active-Passive: the load is processed by the master node and switched to a backup instance if the master node is offline.

HA cluster multicast ID

Multiple HA clusters can be created in a single configuration cluster. Session synchronization uses a specific multicast address defined by this parameter. A unique ID must be assigned to each group of HA clusters that requires session synchronization support within the group.

Virtual router ID (VRID)

The VRID must be unique to each VRRP cluster in the local network. If there are no 3rd party VRRP clusters in the network, it is recommended to keep the default setting.

Nodes

Select the configuration cluster nodes to combine into an HA cluster. Here you can also assign the master role to one of the selected nodes.

Virtual IPs

Assign virtual IP addresses and map them to the interfaces of the cluster nodes.

Diagnostics

This section contains the server diagnostics settings that UGMC technical support will need to resolve eventual problems.

Name

Description

Diagnostic details

  • Off: diagnostics logs are disabled

  • Error: log only server errors

  • Warning: log only errors and warnings

  • Info: log only errors, warnings, and additional information

  • Debug: provide as much detail as possible

It is recommended to set Diagnostic details to Error (errors only) or Off (disabled), unless UserGate technical support asked you to set different values. Any values other than Error (errors only) or Off (disabled) will affect UGMC performance negatively.

Diagnostics logs

  • Download logs: download the diagnostic logs for sending them to UserGate support.

  • Clear logs: purge logs of content.

Remote assistance

  • On/Off: enable/disable the remote assistance mode. Remote assistance allows a UserGate support engineer to connect securely to a UGMC server for troubleshooting using the known values of the Remote assistance ID and token. For a successful activation of remote assistance, UGMC must have SSH access to the UserGate remote assistance server.

  • Remote assistance ID: a randomly generated value that is unique for each remote assistance session. that is unique for each remote assistance session.

  • Remote assistance token: a randomly generated token value. that is unique for each remote assistance session.

Server operations

In this section, you can perform the following server maintenance actions:

Name

Description

Server operations

  • Перезагрузить --- перезагрузка сервера UGMC.

  • Shutdown: shutdown the UGMC server

Updates channel

Here you can select the update channel for UGMC software:

  • Stable: check for stable software updates and download them (if any)

  • Beta: check for experimental updates and download them (if any)

The UserGate company is continuously working to improve its software and provides UGMC product updates as part of the Security Update license module subscription (for more details on licensing, see the UGMC Licensing chapter). If there are any updates, a notification to that effect will display in the Device management section. As a product update can take quite a while, it is recommended to account for the potential UGMC downtime when planning update installation.

To install updates, follow these steps:

Name

Description

Шаг 1. Создать файл резервного копирования.

Создать резервную копию состояния UGMC в разделе Управление устройством ➜ Управление резервным копированием ➜ Создание резервной копии. This step is always recommended before applying updates because it will allow you to restore the previous state of the device, should any problems arise during the update process.

Шаг 2. Установить обновления.

In the Device management section, if the New updates available notification is present, click Install now. The system will install the downloaded updates, and when the installation completes, UGMC will reboot.

System backup management

This section allows you to manage UserGate backups, i.e. to set backup export rules, to create a backup, and to restore a UserGate device.

To create a backup, follow these actions:

Name

Description

Step 1. Create a backup

Under Device management ➜ System backup management, click Create backup. The system will save the current server settings in a file named:

backup_PRODUCT_NODE-NAME_DATE.gpg, where

PRODUCT is the product type: NGFW, LogAn, or MC;

NODE-NAMEis the UserGate node name;

DATE is the date and time when the backup was created as YYYY-MM-DD-HH-MM. The time is in UTC time zone.

To interrupt the backup process, press the Stop button. The backup record will be displayed in the device event log.

To restore the device status, follow these steps:

Name

Description

Step 1. Restore the device state

In the Device management ➜ System backup management, click Restore from backup and specify the path to the previously created settings file to upload it to the server. Restore will be suggested in the tty console when the device reboots.

In addition, the administrator can configure a scheduled file upload to external servers (FTP, SSH). To create a schedule for uploading settings, follow these steps:

Name

Description

Step 1. Create a backup export rule

In the Device management ➜ System backup management, click Add and enter a name and description for the rule.

Step 2. Specify the remote server parameters

In the Remote server tab of the rule, specify the parameters for the remote server:

  • Server type: FTP or SSH

  • Address: the server's IP address

  • Port: the server's port

  • Login name: the user account on the remote server

  • Password/Repeat password: the password for the user account

  • Directory path: the path on the server where the settings will be uploaded

If using an SSH server, you can use key authorization. To import or generate a key, select SSH key setup and specify Generate key or Import key.

Important! If you re-create a key, the existing SSH key will be deleted. The public key must reside on the SSH server in the user keys directory /home/user/.ssh/ in the authorized_keys file.

When initially configuring the SSH backup export rule, connection verification is mandatory (Check connection button). When the connection is verified, the fingerprint is placed in known_hosts. The files are not sent without verification.

Important! If you change the SSH server or reinstall it, the backup files will be unavailable, because the fingerprint has changed. This protects you from spoofing.

Step 3. Select the upload schedule

In the Schedule tab of the rule, specify when the settings should be uploaded. If specifying the time in the crontab-format, enter it as follows:

(minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday)

Each of the first five fields can be defined using:

  • An asterisk (*): denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • The asterisk and dash are also used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

Exporting and importing settings

The administrator can save the current UGMC settings in a file and later restore them on the same or another UGMC server. This is different from a backup in that importing/exporting the settings does not preserve the current state of all system components --- only the current settings are saved.

Note Importing/exporting the settings does not preserve the interface state or license information. After completing the import, you will need to configure the interfaces and re-register UGMC using the existing PIN code.

To export the settings, follow these steps:

Name

Description

Шаг 1. Экспорт настроек.

В разделе Управление устройством ➜ Экспорт и импорт настроек нажать на ссылку Экспорт и выбрать Экспортировать все настройки или Экспортировать сетевые настройки. The system will save:

  • текущие настройки сервера под именем: cc_core-mc_core@nodename_version_YYYYMMDD_HHMMSS.bin

  • сетевые настройки под именем: network-cc_core-mc_core@nodename_version_YYYYMMDD_HHMMSS.bin

nodename --- имя узла UserGate Management Center.

version --- версия UserGate Management Center.

YYYYMMDD_HHMMSS is the date and time of the settings export in the UTC timezone.

Например, cc_core-mc_core@ediasaionedi_7.0.0.93R-1_20220715_084853.bin или network-cc_core-mc_core@ediasaionedi_7.0.0.93R-1_20220715_084929.bin.

To apply the exported settings, follow these steps:

Name

Description

Шаг 1. Импорт настроек.

В разделе Управление устройством ➜ Экспорт и импорт настроек нажать на ссылку Импорт и указать путь к ранее созданному файлу настроек. The settings will be applied to the server, after which the server will reboot.
Note To correctly import the rules that use updatable UserGate lists (applications, URL categories, etc.), you need to have licenses for the SU and ATP modules as well as pre-downloaded UserGate lists.

In addition, the administrator can configure a scheduled settings upload to external servers (FTP, SSH). To create a schedule for uploading settings, follow these steps:

Name

Description

Шаг 1. Создать правило экспорта.

В разделе Управление устройством ➜ Экспорт настроек нажать кнопку Добавить, указать имя и описание правила

Шаг 2. Указать параметры удаленного сервера.

In the Remote server tab of the rule, specify the parameters for the remote server:

  • Server type: FTP or SSH

  • Address: the server's IP address

  • Port: the server's port

  • Login name: the user account on the remote server

  • Пароль/Подтверждение пароля --- пароль учетной записи.

  • Directory path: the path on the server where the settings will be uploaded

Шаг 3. Выбрать расписание выгрузки.

In the Schedule tab of the rule, specify when the settings should be uploaded. If specifying the time in the CRONTAB format, enter it as follows:

(minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday)

Each of the first five fields can be defined using:

  • An asterisk (*): denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • The asterisk and dash are also used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

var glosarry_items = new Array; glosarry_items[1] = 'IP-адрес -- это уникальный адрес, идентифицирующий устройство в интернете или локальной сети. Применяется на L3 уровне модели ISO/OSI. В зависимости от версии протокола IP может быть 32-битным (4-я версия), либо 128-битным (6-я версия).
'; glosarry_items[2] = 'Объединение нескольких однородных элементов, которое может рассматриваться как самостоятельная единица, обладающая определёнными свойствами. В нашем случае несколько устройств UserGate работающих в режиме кластера.'; glosarry_items[3] = 'Bridge - сетевое устройство канального уровня, предназначенное для объединения двух широковещательных доменов в один.'; glosarry_items[4] = 'URL - Uniform Resource Locator, система унифицированных адресов электронных ресурсов. Т.е. URL - это адрес, который выдан уникальному ресурсу в интернете. В теории, каждый корректный URL ведёт на уникальный ресурс. Такими ресурсами могут быть HTML-страница, CSS-файл, изображение и т.д.'; glosarry_items[5] = 'IDS - Intrusion Detection System. Система обнаружения вторжений (СОВ). Система, предназначенная для обнаружения атак на вычислительные системы в реальном времени.'; glosarry_items[6] = 'UserGate Management Center';