Timezone
|
The timezone for your location. Used in rule schedules and for the correct display of time and date in reports, logs, etc.
|
Default interface language
|
The language to use by default in the console.
|
Web console authentication mode
|
The method of authenticating the user (administrator) when logging in to the web management console. The options are as follows:
-
Login and password. The administrator must provide their login name and password to get access to the web console.
-
X.509 certificate. For certificate-based authentication, you need a user certificate signed with the certificate of the web console Certification Authority and installed in the browser. When this authentication mode is turned on, the login name and password mode is disabled. You can restore the login name and password authentication mode afterwards using CLI commands.
-
User certificate profile. Authentication Using PKI certificates uses user certificate profile allows managing certificates that provide the security and authentication of network connections.
|
SSL profile for web console
|
Select an SSL profile to build a secure web console access link. For more details on SSL profiles, see the SSL Profiles chapter.
|
SSL Profile for block/authorization pages
|
Select an SSL profile to build a secure link for displaying web resource block pages and the captive portal's auth page. For more details on SSL profiles, see the SSL Profiles chapter.
|
Automatic session closure timer (min)
|
Configure the automatic session closure timer that will expire on the absence of administrator activity in the web console.
|
Endpoint device SSL profile
|
Select an SSL profile to create a secure communication link between NGFW and UserGate Client endpoint devices. For more details on SSL profiles, see the SSL Profiles chapter.
|
Endpoint device certificate
|
The certificate that will be used to create a secure communication link between NGFW and UserGate Client endpoint devices.
Important! Endpoint devices remember the certificate, therefore, when it is changed, you need to distribute the root CA certificate to the connected endpoint devices. The certificate must be installed into the local machine's Trusted Root Certification Authorities certificate store.
|
Server time settings
|
Configure the time synchronization settings.
-
Use NTP servers: use the NTP servers from the provided list for time synchronization.
-
Primary NTP server: the primary time server address. Default value: pool.ntp.org.
-
Secondary NTP server: the secondary time server address.
-
Server time: allows time setting on the server. The UTC timezone should be used.
|
Modules
|
Here you can configure NGFW modules:
-
HTTP(S) proxy port: allows you to specify a non-standard (alternative) port number that will be used to connect to the built-in proxy. By default, TCP port 8090 is used. If changed, the port continues working.
Important! The ports listed here may not be used as they are reserved for NGFW's internal services: 2200, 8001, 4369, 9000-9100.
-
Captive portal auth domain: an internal domain used by NGFW for user authorization via the Captive portal. The users need to be able to resolve the domain provided here into the IP address of the UserGate network interface to which they are connected. If the users have the NGFW's IP address specified as the DNS server, address resolving is configured automatically. The default name is auth.captive. It can be changed to another domain name used in the organization.
-
Captive portal logout domain: an internal domain used by NGFW users to terminate their sessions (log out). The users need to be able to resolve the domain provided here into the IP address of the NGFW network interface to which they are connected. If the users have the NGFW's IP address specified as the DNS server, address resolving is configured automatically. The default name is logout.captive. It can be changed to another domain name used in the organization.
-
Block page domain: an internal domain used to display a block page to users. The users need to be able to resolve the domain provided here into the IP address of the NGFW network interface to which they are connected. If the users have the NGFW's IP address specified as the DNS server, address resolving is configured automatically. The default name is block.captive. It can be changed to another domain name used in the organization.
-
FTP over HTTP: enable or disable the module that provides access to content on FTP servers from a user browser.
The FTP proxy must be specified explicitly in the user browser.
The administrator can restrict access to FTP resources using content filtering rules (only the Users and URL criteria are supported).
-
FTP over HTTP domain: an internal domain used to provide FTP over HTTP service to users. The users need to be able to resolve the domain provided here into the IP address of the NGFW network interface to which they are connected. If the users have the UserGate server's IP address specified as the DNS server, address resolving is configured automatically. The default name is ftpclient.captive. It can be changed to another domain name used in the organization.
-
Tunnel inspection zone: enable or disable the tunnel inspection module and specify a zone where tunnels are to be inspected.
-
Password for terminal server agent: set the password to be used by terminal server authorization agents for connection.
-
LLDP settings: configure the use of the Link Layer Discovery Protocol (LLDP) that enables the network equipment in the local area network to notify devices about its existence, report its characteristics, and receive similar information from the devices. These settings are required:
-
Transmit delay: how long the device will wait before sending advertisements to the neighbors after a change in the LLDP protocol's TLV parameter or the local system state (e.g., a changed hostname or management address). Specified in seconds and can take values from 1 to 3600.
-
Transmit hold: the hold multiplier. The transmit delay multiplied by the transmit hold determines the time to live (TTL) for LLDP packets. Can take values from 1 to 100.
|
Cache settings
|
These are the settings for the proxy cache:
-
Caching mode on/off: enable or disable caching.
-
Cache exclusions: the list of URLs that will not be cached.
-
Max cache object size (MB): objects larger than this will not be cached. It is recommended to leave the default value of 1MB.
-
RAM size (MB): the amount of RAM reserved for the cache. This should not be set to more than 20% of the system RAM.
|
Log Analyzer
|
Configure the LogAn module here:
-
Local/Remote server: if you have a remote LogAn server, select it here, otherwise select the local server.
-
State: shows the current state of the statistics service.
Important! If an external LogAn is specified, that LogAn server will be processing and exporting logs, generating reports, and handling other statistics.
|
Web Portal
|
These are the settings used to provide access to the internal corporate resources using a web portal (SSL VPN). For a detailed description of these settings, see the chapter Web Portal.
|
PCAP Configuration
|
Configure the traffic logging triggered when IPS signatures are encountered. These are the options for packet capture:
Important! A large PCAP value can slow down data processing significantly.
|
Change tracker settings
|
If this option is enabled and Change types have been defined, any change to the configuration introduced by the administrator using the web console will require that the administrator specify the change type and a description for the change. Here are some possible examples of change types:
The number of change types is not limited.
|
UserGate Management Center agent
|
Here you can configure device connection to the central management console (UGMC) that can be used to manage a UserGate device fleet from a single point. TCP ports 2022 and 9712 are used for connection to the UGMC server.
-
Enabled/Disabled: enable or disable management via UGMC.
-
UserGate Management Center address: server address in IPv4 address format, FQDN (IDN address can also be used).
-
Device code: a token required to connect to UGMC.
UGMC can be used as the software and signature update source.
|
Updates download schedule
|
This is where you configure update downloads for UserGate software (UGOS) and updatable libraries provided on subscription (URL filtering category database, IDPS, IP/URL/content type lists etc.).
-
Software updates: configure the schedule for checking and downloading new UGOS updates.
-
Library updates: configure the schedule for checking and downloading new library updates. If the Apply for all updates checkbox is set, the schedule is applied to all libraries, otherwise a separate schedule must be configured for each type of library.
You can select from the following schedule options:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
-
An asterisk (*) denotes the entire range (from the first number to the last).
-
A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.
-
Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".
-
An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".
|
Upstream proxy
|
Configure upstream proxy settings for user traffic redirection. The settings include the proxy type (HTTP(S), SOCKS5), IP address, and port, as well as the login and password for authenticating with the proxy (if required).
|