Protect the server with the UserGate VE firewall

Last update: September 06 2024

Protect the server with the UserGate VE firewall

1. Link the firewall server and the protected server.
2. Check the interfaces.
3. Configure the local interface on the firewall.
4. Configure the NAT rule.
5. Configure filtering rules.

Link the firewall server and the protected server⁠

The organization of connectivity to the protected infrastructure depends on whether the firewall is deployed on a cloud server or on a virtual machine in a VMware-based public or private cloud.

Cloud server

1. If you need to protect cloud server, Managed Kubernetes cluster, cloud database cluster in one project with firewall, Add the firewall server to the project's private network. For different projects of the same pool configure access to the private network in different projects.
2. If you need to protect a cloud server, a Managed Kubernetes cluster, a cloud database cluster that is in a different pool, or a dedicated server, a hosted server, a VMware-based virtual machine in the cloud — use a Selectel global router (formerly L3 VPNs).

VMware-based cloud

1. Optional: if you do not have a private subnet in the data center where the firewall is deployed, or if you want to use a new one, create a new private subnet. When creating a subnet:

   • select the first subnet address as the gateway. When entering IP range exclude the selected gateway address;
   • as Secondary DNS Specify the Selectel DNS server 188.93.16.19.

2. From control panels open the Cloud Director panel: VMware-based cloud → Cloud Director.

3. Open the virtual data center page → section Virtual Machines.

4. Open the virtual machine page

5. Go to the section Hardware → NICs.

6. Click Edit.

7. Click ADD NETWORK TO VAPP.

8. Select Type — Routed.

9. In the table, select a private subnet. If you need to protect virtual machines in the same data center with a firewall, you can combine them with a single private network. You can use the following for different data centers in the same organization common subnet.

10. Enter the name of the network.

11. In the field Gateway CIDR Specify the subnet gateway from the column Gateway CIDR of the selected subnet.

12. Click Add.

13. On the line NIC 1 in the column Network select a subnet.

14. On the line NIC 1 in the column IP Mode select Static — Manual.

15. On the line NIC 1 in the column IP Specify an IP address from a subnet different from the gateway address.

16. If you need to protect a virtual machine in another organization, a cloud server, a cloud database, a dedicated server, hosted hardware, a cluster of Managed Kubernetes — combine them with a firewall through a global router.

Check interfaces⁠

UserGate network interfaces are organized into zones for which security policies are configured. By default, the Internet port is assigned to zone 1, which is used for Internet access and connections from external networks.

After adding the LAN interface, you need to verify that the Internet port is in the correct zone and reassign it if necessary.

UGOS 6

1. Open the CLI.

2. Perform a programmatic reboot of the server.

3. At the time of system boot, select Support Menu.

4. Select Refresh NIC names and press OK.

5. Wait for the reboot to complete.

6. Authorize with default data:

   • login — Admin;
   • the password is. utm.

7. Print the list of interfaces:

   iface list

8. Make sure that for the Internet port in the string zone specified value __default__ (ID=1).

9. If the value does not match, change the zone for the Internet port:

   iface config -name <eth_name> -zone 1

   Specify <eth_name> — Internet port name.

UGOS 7

1. Open the CLI.

2. Select the mode UGOS NGFW (serial console).

3. Authorize with default data:

   • login — Admin;
   • password — leave the field blank.

4. Enter the configuration mode:

   configure

5. Upgrade the NIC:

   clear network interface-mapping

6. Restart the server:

   reboot

7. Enter your username and password.

8. Enter the configuration mode:

   configure

9. Print the list of interfaces:

   show

10. Make sure that for the Internet port in the string zone specified value __default__. If the value does not match, change the zone for the port:

    set network interface adapter <eth_name> -zone 1

    Specify <eth_name> — Internet port name.

Configure the local interface on the firewall⁠

1. Connect to the firewall.
2. Go to the section Settings → Network → Interfaces.
3. For the added port port1, click Enable.
4. Click Edit.
5. Open the tab General.
6. In the field Zone select Trusted.
7. Open the tab Network.
8. In the field Mode select Static.
9. Click Add.
10. Enter the IP address of the interface.
11. Optional: change the mask.
12. Click Save.

Configure a NAT rule⁠

1. Connect to the firewall.
2. Go to the section Settings → Network policies → NAT and routing.
3. Click Add.
4. Open the tab General.
5. Enter the name of the rule.
6. Optional: enter a description of the rule.
7. Select the type — NAT.
8. In the field SNAT IP enter the IP address of the firewall's Internet port to which the source address will be replaced. If the firewall is deployed on a cloud server with a single public address, enter the address from the private network to which the public address is bound.
9. Open the tab Source.
10. In the block Source area check the box Trusted.
11. Optional: add a specific IP address or subnet that may be the source of the traffic. In the block. Source address click Create and add a new object → AddIf you do not add addresses, the rule will work for traffic from all private networks behind the firewall. If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
12. Open the tab Assignment.
13. In the block Destination zone check the box Management.
14. Optional: add a specific IP address or subnet to which traffic can be sent. In the block Destination address click Create and add a new object → Add, enter the addresses, and save the object. If you do not add addresses, traffic can be sent to any external networks.
15. Optional: to limit the list of ports for outgoing traffic, add them on the tab Service.
16. Click Save.

Customize filtering rules⁠

1. Connect to the firewall.
2. Go to Settings → section Network policies → Firewall.
3. Click Add.
4. Open the tab General.
5. Enter the name of the policy.
6. Optional: enter a description of the policy.
7. Select an action — Разрешить.
8. Open the tab Source.
9. Check the box Trusted.
10. Optional: add a specific IP address or subnet that may be the source of the traffic. In the block. Source address click Create and add a new object → AddIf you do not add addresses, the rule will work for traffic from all private networks behind the firewall. If you do not add addresses, the rule will work for traffic from all private networks behind the firewall.
11. Open the tab Assignment.
12. In the block Destination zone check the box Management.
13. Optional: add a specific IP address or subnet to which traffic can be sent. In the block Destination address click Create and add a new object → Add, enter the addresses, and save the object. If you do not add addresses, traffic can be sent to any external networks.
14. Optional: to limit the list of ports for outgoing traffic, add them on the tab Service.
15. Click Save.