Protect the server with the UserGate VE firewall
- Link the firewall server and the protected server.
- Check the interfaces.
- Configure the local interface on the firewall.
- Configure a NAT rule.
- Configure the filtering rules.
1. Link the firewall server and the protected server
The organization of connectivity to the protected infrastructure depends on whether the firewall is deployed on a cloud server or on a virtual machine in a VMware-based public or private cloud.
Cloud server
VMware-based cloud
-
If you need to protect a cloud server, Managed Kubernetes cluster, cloud database cluster in the same project with firewall, add the firewall server to the project's private network.For different projects in the same pool, configure access to the private network in different projects.
-
If you need to protect a cloud server, a Managed Kubernetes cluster, a cloud database cluster that is in a different pool, or a dedicated server, a hosted server, a VMware-based virtual machine in the cloud — use a Selectel Global Router (formerly L3 VPNs).
-
Optional: If you do not have a private subnet in the data center where the firewall is deployed, or you want to use a new one, create a new private subnet. When creating a subnet:
- Select the first subnet address as the gateway. When entering the IP range, exclude the selected gateway address;
- specify Selectel DNS server
188.93.16.19
as Secondary DNS.
-
In the Dashboard, on the top menu, click Products and select VMware-based Cloud.
-
Navigate to the Cloud Director section.
-
Open the Virtual Data Center page → Virtual Machines section.
-
Open the virtual machine page.
-
Go to Hardware → NICs.
-
Click Edit.
-
Click ADD NETWORK TO VAPP.
-
In the Type field, select Routed.
-
In the table, select a private subnet.If you need to protect virtual machines in the same data center with a firewall, you can combine them with a single private network.You can use a common subnet for different data centers in the same organization.
-
Enter the name of the network.
-
In the Gateway CIDR field, enter the subnet gateway from the Gateway CIDR column of the selected subnet.
-
Click Add.
-
On the NIC 1 row in the Network column, select a subnet.
-
In the NIC 1 row, in the IP Mode column, select Static — Manual.
-
In the NIC 1 row in the IP column, enter an IP address from a subnet other than the gateway address.
-
If you need to protect a virtual machine in another organization, a cloud server, a cloud database, a dedicated server, hosted hardware, a Managed Kubernetes cluster — combine them with a firewall through a global router.
2. Check interfaces
UserGate network interfaces are organized into zones for which security policies are configured.By default, the Internet port is assigned to zone 1, which is the zone through which Internet access and connections from external networks are made.
After adding the LAN interface, check that the Internet port is in the correct zone and reassign it if necessary.
UGOS 6
UGOS 7
-
Open the CLI.
-
Perform a programmatic reboot of the server.
-
When the system boots, select Support Menu.
-
Select Refresh NIC names and click OK.
-
Wait for the reboot to complete.
-
Authorize with default data:
- Admin;
- the password is utm.
-
Print the list of interfaces:
iface list
-
Make sure that the
zone
line for the Internet port is set to__default__ (ID=1)
. -
If the value does not match, change the zone for the Internet port:
iface config -name <eth_name> -zone 1
Specify
<eth_name>
is the name of the Internet port.
-
Open the CLI.
-
Select the UGOS NGFW (serial console) mode.
-
Authorize with default data:
- Admin;
- password — leave the field blank.
-
Go to the configuration mode:
configure
-
Upgrade the NIC:
clear network interface-mapping
-
Restart the server:
reboot
-
Enter your username and password.
-
Go to the configuration mode:
configure
-
Print the list of interfaces:
show
-
Make sure that the
zone
line for the Internet port is set to__default__
. -
If the value does not match, change the zone for the port:
set network interface adapter <eth_name> -zone 1
Specify
<eth_name>
is the name of the Internet port.
3. Configure the local interface on the firewall
- Connect to the firewall.
- Go to Settings → Network → Interfaces.
- For the added port port1, click Enable.
- Click Edit.
- Open the General tab.
- In the Zone field, select — Trusted.
- Open the Network tab.
- In the Mode field, select Static.
- Click Add.
- Enter the IP address of the interface.
- Optional: change the mask.
- Click Save.
4. Configure a NAT rule
- Connect to the firewall.
- Go to Settings → Network Policies → NAT and Routing.
- Click Add.
- Open the General tab.
- Enter the name of the rule.
- Optional: enter a description of the rule.
- Select the type — NAT.
- In the SNAT IP field, enter the IP address of the firewall's Internet port to which the source address will be replaced.If the screen is deployed on a cloud server with a single public address, specify the address from the private network to which the public address is bound.
- Open the Source tab.
- In the Source Zone block, check the Trusted checkbox.
- Optional: Add a specific IP address or subnet that can be the source of the traffic.In the Source Address block, click Create and Add New Object → Add, enter the addresses, and save the object.If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
- Open the Assignment tab.
- In the Destination Area block, check the Management checkbox.
- Optional: add a specific IP address or subnet to which traffic can be sent.In the Destination Address block, click Create and Add New Object → Add, enter the addresses and save the object.If you do not add addresses, traffic can be sent to any external networks.
- Optional: to limit the list of ports for outgoing traffic, add them on the Tools tab.
- Click Save.
5. Configure filtering rules
- Connect to the firewall.
- Go to Settings → Network Policies → Firewall.
- Click Add.
- Open the General tab.
- Enter the name of the policy.
- Optional: enter a description of the policy.
- Select the action — Allow.
- Open the Source tab.
- Check the Trusted checkbox.
- Optional: Add a specific IP address or subnet that can be the source of the traffic.In the Source Address block, click Create and Add New Object → Add, enter the addresses, and save the object.If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
- Open the Assignment tab.
- In the Destination Area block, check the Management checkbox.
- Optional: add a specific IP address or subnet to which traffic can be sent.In the Destination Address block, click Create and Add New Object → Add, enter the addresses and save the object.If you do not add addresses, traffic can be sent to any external networks.
- Optional: to limit the list of ports for outgoing traffic, add them on the Tools tab.
- Click Save.