Zone Configuration

A zone in NGFW is a logical aggregation of network interfaces. NGFW security policies use interface zones instead of interfaces themselves. This provides the needed flexibility to the policies and significantly eases the management of a HA cluster. Zones are the same on all cluster nodes, i.e., this is a global setting for the entire cluster.

It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, partner-connected interface zone, etc.

NGFW is supplied with the following default zones:

Name

Description

Management

Used to connect trusted networks from which NGFW management is allowed.

Trusted

Used to connect trusted networks, such as LANs.

Untrusted

Used for interfaces connected to untrusted networks, such as the Internet.

DMZ

Used for interfaces connected to the DMZ network.

Cluster

Used for interfaces that support the operation of a cluster.

VPN for Site-to-Site

Used for all Office-to-Office clients that connect to NGFW using a VPN.

VPN for remote access

Used for all mobile users who connect to NGFW using a VPN.

Tunnel inspection zone

Tunnel inspection zone. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone.

NGFW administrators can edit the settings for the default zones and create additional zones.

Note A maximum of 255 zones can be created.

To create a zone, follow these steps:

Name

Description

Step 1. Create a new zone.

Click Add and provide a name for the new zone

Step 2. (Optional) Configure the DoS protection settings for the zone.

Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:

  • Aggregate: if set, all incoming packets to the zone's interfaces are included in the count. If not set, packets are counted separately for each IP address.

  • Alert threshold: when the number of requests exceeds this threshold, the event is recorded in the system log.

  • Drop threshold: when the number of requests exceeds this threshold, NGFW starts dropping the packets and records the event in the system log.

The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold. It is recommended to enable flood protection on all interfaces except those in the Cluster zone.

The UDP drop threshold should be increased if the zone's interfaces carry traffic for services such as VoIP or L2TP VPN.

DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for the VoIP service as it sends large numbers of UDP packets.

Important! NGFW allows more granular DoS protection. For more details, see the DoS Protection section.

Step 3. (Optional) Configure the access control settings for the zone.

Specify the NGFW-provided services that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet.

The following services exist:

  • Ping: enables pinging of NGFW.

  • SNMP: provides SNMP access to NGFW (UDP 161).

  • Captive portal and Block pages: required for displaying the captive portal's auth page and block page (TCP 80, 443, 8002).

  • Control XML-RPC: enables API control of the product (TCP 4040).

  • Cluster: required for combining several NGFW nodes into a cluster (TCP 4369, TCP 9000-9100).

  • VRRP: required for combining several NGFW nodes into a HA cluster (IP protocol 112).

  • Administrative console: provides access to the administrative web console (TCP 8001).

  • DNS: provides access to the DNS proxy service (TCP 53, UDP 53).

  • HTTP(S) proxy: provides access to the HTTP(S) proxy service (TCP 8090).

  • Authorization agent: provides server access required by Windows authorization agents and terminal servers (UDP 1813).

  • SMTP(S) proxy: spam filtering for SMTP traffic. Required only when publishing a mail server to the Internet. For more details, see the Mail Security section.

  • POP3(S) proxy: spam filtering for POP3 traffic. Required only when publishing a mail server to the Internet. For more details, see the Mail Security section.

  • CLI over SSH: provides server access for management using CLI (command line interface) (TCP port 2200).

  • VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500).

  • SCADA: SCADA traffic filtering. Required only for SCADA traffic control.

  • Reverse proxy: required for publishing internal resources using a reverse proxy. For more details, see the HTTP/HTTPS Resource Publishing Using Reverse Proxy section.

  • Web portal: required for publishing internal resources using an SSL VPN. For more details, see the Web Portal section.

  • Log Analyzer: provides connection to Log Analyzer (TCP 2023, 9713).

  • OSPF: OSPF dynamic routing service. For more details, see the OSPF section.

  • BGP: BGP dynamic routing service. For more details, see the BGP section.

  • RIP: RIP dynamic routing service.

  • BFD: quick network connection failure detection service.

  • SNMP Proxy: service used to build a distributed monitoring system for load balancing and distributed network infrastructure monitoring.

  • SSH Proxy: service used to initiate SSH traffic.

  • Multicast: multicast service.

  • NTP service: enables access to a time server running on the NGFW server.

  • UserID syslog collector: a service that enables information collection from remote devices using the Syslog protocol (the default port number is 514).

  • Endpoints connection: a service used to allow connection of endpoints with UserGate Client software (TCP 4045) installed.

For more on network availability requirements, see the appendix Network Environment Requirements.

Step 4. (Optional) Configure the IP spoofing protection settings.

IP spoofing attacks allow a malicious actor to transmit a packet from an external network, such as Untrusted, to an internal one, such as Trusted. To do that, the attacker substitutes the source IP address with an assumed internal network address. In this case, responses to this packet will be sent to the internal address.

To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded.

Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, for the Untrusted zone, you can specify "gray" IP address ranges as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and turn on the Negate option.

Step 5. (Optional) Set session limits.

Limiting the number of concurrent connections from a single IP address is a security measure that limits active network connections originating from the same IP. This is done for several reasons:

  • To defend from attacks: malicious users can use a large number of concurrent connections from one IP address to launch DDoS attacks (distributed attacks that aim to cause denial of service). Limiting the number of such connections helps lower the risks of these attacks by reducing the network or server load.

  • To prevent abuse: some users may try to abuse the resources by creating many concurrent connections. Limiting connections helps prevent resource overuse and maintain a uniform load distribution.

  • To preserve availability: preventing situations when one user takes up all available resources, leaving little for others. The limits help preserve resource availability for all users.

  • To better manage resources: more efficient network and server resource management ensures a more stable and predictable performance.

To limit the number of concurrent connections from a single IP address:

  1. Set the Enable sessions limiting per IP checkbox.

  2. Specify the maximum allowed number of sessions originating from a single IP address.

  3. Add a list of IP addresses to which the limit will not apply. For more details about how to create an IP address list, see the IP Addresses section.