Configuring device management

Configuring diagnostics

At the settings radmin level, you can enable or disable remote access to the server for the UserGate technical support (Radmin). To enable/disable Radmin, use the following command:

Admin@nodename# set settings radmin enabled <on | off>

To view the Radmin state, use the following command:

Admin@nodename# show settings radmin

The server diagnostics settings that the technical support team needs for troubleshooting are set at the settings loglevel level. You can use the following command to set the desired diagnostic details level (disabled; errors only; errors and warnings; errors, warnings, and additional information; maximum level of detail):

Admin@nodename# set settings loglevel value <off | error | warning | info | debug>

To view the status of the diagnostics detail level, use the following command:

Admin@nodename# show settings loglevel value : error

Configuring radmin emergency

To activate the remote assistant when a problem with the node's core software arises, the administrator can log in to the CLI using the root administrator account created when UserGate was initialized. Usually, this is the Admin account; however, it is not always so. To log in, specify the name as Admin@emergency and use the root administrator password as the password. To enable/disable remote access to the server for technical support in such cases, use the following command:

Admin@nodename# set radmin-emergency enabled <on | off>

Parameter

Description

interface

The interface name.

ip-addr

Interface IP address and mask.

gateway-address

Gateway IP address.

Configuring server operations

To set an update channel, use the following command:

Admin@nodename# set settings device-mgmt updates-channel <stable | beta>

To view any updates and the selected update channel, use the following command:

Admin@nodename# show settings device-mgmt updates-channel

System backup management

A device backup is created at the settings device-mgmt level. To create a backup rule and upload files to external FTP/SSH servers, use the following command:

Admin@nodename# create settings device-mgmt settings-backup <parameters>

The available parameters include:

Parameter

Description

enabled

Enable/disable the device backup rule.

name

The name of the backup rule.

description

A description of the backup rule.

type

Select a remote server to export files:

  • ssh

  • ftp

address

Remote server IP address.

port

Port:

login

Remote server login name.

password

Password for the login name.

path

Directory path to upload the files to.

schedule

The backup file export schedule.

The time is set in the Crontab format: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6; where 0 is Sunday). You can set each field as follows:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

To edit an existing UserGate device backup rule, use the following command:

Admin@nodename# set settings device-mgmt settings-backup <rule-name>

You can use the same set of parameters as when creating rules.

To delete a backup rule:

Admin@nodename# delete settings device-mgmt settings-backup <rule-name>

To display a backup rule:

Admin@nodename# show settings device-mgmt settings-backup <rule-name>

In the rule edit, delete, or display commands, <filter> can include the parameters specified in an existing rule in addition to the rule name (this can be helpful if there are multiple rules with the same name). Parameters used to identify an export rule are similar to those of the set command.

Settings Export

You create and configure export settings rules at the settings device-mgmt settings-export level.

To create an export settings rule, use the following command:

Admin@nodename# create settings device-mgmt settings-export ( <parameters> )

Available parameters:

Parameter

Description

enabled

Enable/disable an export settings rule for the UserGate server.

name

Export rule name.

description

Export rule description.

type

Select a remote server to export settings:

  • ssh

  • ftp

address

Remote server IP address.

port

Port:

login

Remote server login name.

password

Password for the login name.

path

Directory path to upload the settings to.

schedule

Schedule for settings export.

The time is set in the Crontab format: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6; where 0 is Sunday). You can set each field as follows:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

To update an existing rule to export UserGate server settings, use the following command:

Admin@nodename# set settings device-mgmt settings-export <rule-name>

You can use the same set of parameters as when creating rules.

To delete a rule to export settings, use the following command:

Admin@nodename# delete settings device-mgmt settings-export <rule-name>

To display a rule to export settings, use the following command:

Admin@nodename# show settings device-mgmt settings-export <rule-name>

For update, delete or display rule commands, you can set <filter> not only to the rule name, but also to the parameters specified in an existing rule (this may be helpful if there is more than one rule with the same name). Parameters used to identify an export rule are similar to those of the set command.

Settings for protecting configuration data from changes

To configure settings for protecting product configuration data (settings) from being changed, use the following command:

Admin@nodename# set settings change-control config <off | log | block>

Configuration data integrity is checked every few minutes after UserGate boots.

  • log: enable configuration change tracking. If any changes are detected, UserGate records this information in the event log. A password is required which will be used to change the tracking mode.

  • off: disable configuration change tracking. Requires the password that was set when enabling the configuration change tracking.

  • log --- активирует режим отслеживания несанкционированных изменений исполняемого кода. A password is required which will be used to change the tracking mode. If any changes are detected, UserGate records this information in the event log and creates a firewall blocking rule that denies any transit traffic through UserGate.

Before enabling configuration data protection, the administrator configures the product according to the organization's requirements and then "freezes" the settings (log or block mode). Any setting change through the web interface, CLI, or other means will result in logging and/or blocking of transit traffic, depending on the selected mode.

To view the current configuration data protection mode, use the following command:

Admin@nodename# show settings change-control config

Protect executable files from changes

To configure settings to protect product executable code from potential unauthorized modification, use the following command:

Admin@nodename# set settings change-control code <off | log | block>

Executable code integrity is checked every few minutes after UserGate boots.

  • block --- активирует режим отслеживания изменений конфигурации. If any changes are detected, UserGate records this information in the event log. A password is required which will be used to change the tracking mode.

  • off: disable the tracking of unauthorized changes in executable code. Requires the password that was set when enabling the executable code change tracking.

  • block: enable the tracking of unauthorized changes in executable code. A password is required which will be used to change the tracking mode. If any changes are detected, UserGate records this information in the event log and creates a firewall blocking rule that denies any transit traffic through UserGate. To disable an existing firewall rule you need to disable tracking of unauthorized changes.

To view the current executable file protection mode, use the following command:

Admin@nodename# show settings change-control code

Configuring Accelerated Network Traffic Processing Mode

To enable/disable the accelerated traffic processing mode, use the command:

Admin@nodename# set settings fastpath enabled <on/off>

To view the settings for the accelerated traffic processing mode, use the command:

Admin@nodename# show settings fastpath