Skip to main content
Protect the server with the UserGate VE firewall
Last update:

Protect the server with the UserGate VE firewall

  1. Link the firewall server and the protected server.
  2. Check the interfaces.
  3. Configure the local interface on the firewall.
  4. Configure a NAT rule.
  5. Configure the filtering rules.

The organization of connectivity to the protected infrastructure depends on whether the firewall is deployed on a cloud server or on a virtual machine in a VMware-based public or private cloud.

  1. If you need to protect a cloud server, Managed Kubernetes cluster, cloud database cluster in the same project with firewall, add the firewall server to the project's private network.For different projects in the same pool, configure access to the private network in different projects.

  2. If you need to protect a cloud server, a Managed Kubernetes cluster, a cloud database cluster that is in a different pool, or a dedicated server, a hosted server, a VMware-based virtual machine in the cloud — use a Selectel Global Router (formerly L3 VPNs).

2. Check interfaces

UserGate network interfaces are organized into zones for which security policies are configured.By default, the Internet port is assigned to zone 1, which is the zone through which Internet access and connections from external networks are made.

After adding the LAN interface, check that the Internet port is in the correct zone and reassign it if necessary.

  1. Open the CLI.

  2. Perform a programmatic reboot of the server.

  3. When the system boots, select Support Menu.

  4. Select Refresh NIC names and click OK.

  5. Wait for the reboot to complete.

  6. Authorize with default data:

    • Admin;
    • the password is utm.
  7. Print the list of interfaces:

    iface list
  8. Make sure that the zone line for the Internet port is set to __default__ (ID=1).

  9. If the value does not match, change the zone for the Internet port:

    iface config -name <eth_name> -zone 1

    Specify <eth_name> is the name of the Internet port.

3. Configure the local interface on the firewall

  1. Connect to the firewall.
  2. Go to SettingsNetworkInterfaces.
  3. For the added port port1, click Enable.
  4. Click Edit.
  5. Open the General tab.
  6. In the Zone field, select — Trusted.
  7. Open the Network tab.
  8. In the Mode field, select Static.
  9. Click Add.
  10. Enter the IP address of the interface.
  11. Optional: change the mask.
  12. Click Save.

4. Configure a NAT rule

  1. Connect to the firewall.
  2. Go to SettingsNetwork PoliciesNAT and Routing.
  3. Click Add.
  4. Open the General tab.
  5. Enter the name of the rule.
  6. Optional: enter a description of the rule.
  7. Select the type — NAT.
  8. In the SNAT IP field, enter the IP address of the firewall's Internet port to which the source address will be replaced.If the screen is deployed on a cloud server with a single public address, specify the address from the private network to which the public address is bound.
  9. Open the Source tab.
  10. In the Source Zone block, check the Trusted checkbox.
  11. Optional: Add a specific IP address or subnet that can be the source of the traffic.In the Source Address block, click Create and Add New ObjectAdd, enter the addresses, and save the object.If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
  12. Open the Assignment tab.
  13. In the Destination Area block, check the Management checkbox.
  14. Optional: add a specific IP address or subnet to which traffic can be sent.In the Destination Address block, click Create and Add New ObjectAdd, enter the addresses and save the object.If you do not add addresses, traffic can be sent to any external networks.
  15. Optional: to limit the list of ports for outgoing traffic, add them on the Tools tab.
  16. Click Save.

5. Configure filtering rules

  1. Connect to the firewall.
  2. Go to SettingsNetwork PoliciesFirewall.
  3. Click Add.
  4. Open the General tab.
  5. Enter the name of the policy.
  6. Optional: enter a description of the policy.
  7. Select the action — Allow.
  8. Open the Source tab.
  9. Check the Trusted checkbox.
  10. Optional: Add a specific IP address or subnet that can be the source of the traffic.In the Source Address block, click Create and Add New ObjectAdd, enter the addresses, and save the object.If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
  11. Open the Assignment tab.
  12. In the Destination Area block, check the Management checkbox.
  13. Optional: add a specific IP address or subnet to which traffic can be sent.In the Destination Address block, click Create and Add New ObjectAdd, enter the addresses and save the object.If you do not add addresses, traffic can be sent to any external networks.
  14. Optional: to limit the list of ports for outgoing traffic, add them on the Tools tab.
  15. Click Save.