Hello, this is the second article about the NGFW solution from the company . The purpose of this article is to show how to install the UserGate firewall on a virtual system (I will be using VMware Workstation virtualization software) and perform its initial configuration (allow access from the local network through the UserGate gateway to the Internet).
1. Introduction
To begin with, I will describe the various ways to implement this gateway into the network. I would like to note that depending on the selected connection option, certain functionality of the gateway may not be available. The UserGate solution supports the following connection modes:
-
L3-L7 firewall
-
L2 transparent bridge
-
L3 transparent bridge
-
Virtually in-line, using the WCCP protocol
-
Virtually into the gap, using Policy Based Routing
-
Router on a Stick
-
Explicitly set WEB proxy
-
UserGate as default gateway
-
Mirror port monitoring
UserGate supports 2 types of clusters:
-
configuration cluster. Nodes that are grouped into a configuration cluster maintain uniform settings across the cluster.
-
Failover cluster. Up to 4 nodes of the configuration cluster can be combined into a failover cluster that supports operation in Active-Active or Active-Passive mode. It is possible to build multiple failover clusters.
2. Installation
As mentioned in the previous article, UserGate is delivered as a hardware-software complex or deployed in a virtual environment. From your personal account on the site download the image in OVF format (Open Virtualization Format), this format is suitable for VMWare and Oracle Virtualbox vendors. For Microsoft Hyper-v and KVM, virtual machine disk images are provided.
According to the UserGate website, for the correct operation of the virtual machine, it is recommended to use at least 8Gb of RAM and a 2-core virtual processor. The hypervisor must support 64-bit operating systems.
The installation starts by importing the image into the selected hypervisor (VirtualBox and VMWare). In the case of Microsoft Hyper-v and KVM, you need to create a virtual machine and specify the downloaded image as a disk, and then disable integration services in the settings of the created virtual machine.
By default, after importing into VMWare, a virtual machine is created with the following settings:
As it was written above, the RAM should be at least 8Gb and in addition you need to add 1Gb for every 100 users. The default hard disk size is 100Gb, but this is usually not enough to store all the logs and settings. The recommended size is 300Gb or more. Therefore, in the properties of the virtual machine, change the disk size to the desired one. Initially, the virtual UserGate UTM comes with four interfaces assigned to zones:
Management - the first interface of the virtual machine, a zone for connecting trusted networks from which UserGate management is allowed.
Trusted - the second interface of the virtual machine, a zone for connecting trusted networks, for example, LAN networks.
Untrusted - the third interface of the virtual machine, a zone for interfaces connected to untrusted networks, such as the Internet.
DMZ - The fourth interface of the virtual machine, a zone for interfaces connected to the DMZ network.
Next, we start the virtual machine, although the manual says that you need to select Support Tools and perform a Factory reset UTM, but as you can see, there is only one choice (UTM First Boot). During this step, UTM configures the network adapters and grows the partition on the hard drive to the full size of the drive:
To connect to the UserGate web interface, you need to go through the Management zone, the eth0 interface is responsible for this, which is configured to receive an IP address in automatic mode (DHCP). If it is not possible to assign an address for the Management interface automatically using DHCP, then it can be explicitly set using the CLI (Command Line Interface). To do this, you need to log in to the CLI using the username and password with Full administrator rights (by default, Admin with a Capital letter). If the UserGate device has not passed the initial initialization, then to access the CLI, you must use Admin as the username and utm as the password. And type a command like iface config -name eth0 -ipv4 192.168.1.254/24 -enable true -mode static. Later we go to the UserGate web console at the specified address, it should look something like this:https://UserGateIPaddress:8001:
In the web console, we continue the installation, we need to select the interface language (currently it is Russian or English), the time zone, then we read and agree to the license agreement. Set the login and password to enter the web management interface.
3. Setting
After installation, the platform management web interface window looks like this:
Then you need to configure the network interfaces. To do this, in the "Interfaces" section, you need to enable them, set the correct IP addresses and assign the appropriate zones.
The "Interfaces" section displays all physical and virtual interfaces available in the system, allows you to change their settings and add VLAN interfaces. It also shows all the interfaces of each cluster node. Interface settings are specific to each of the nodes, that is, they are not global.
In interface properties:
-
Enable or disable the interface
-
Specify interface type - Layer 3 or Mirror
-
Assign a zone to an interface
-
Assign Netflow profile to send statistical data to Netflow collector
-
Change the physical parameters of the interface - MAC address and MTU size
-
Select the type of IP address assignment - no address, static IP address or obtained via DHCP
-
Configure the operation of the DHCP relay on the selected interface.
The Add button allows you to add the following types of logical interfaces:
-
VLAN
-
Bond
-
Bridge
-
PPPoE
-
VPN
-
Tunnel
In addition to the previously listed zones that the Usergate image comes with, there are three more types of predefined ones:
Cluster - zone for interfaces used for cluster operation
VPN for Site-to-Site - zone in which all Office-to-Office clients connected to UserGate via VPN are placed
VPN for remote access - zone in which all mobile users connected to UserGate via VPN are placed
UserGate administrators can change the settings of zones created by default, as well as create additional zones, but as stated in the manual for version 5, you can create no more than 15 zones. To edit or create them, go to the zone section. For each zone, you can set the threshold for dropping packets, SYN, UDP, ICMP are supported. Access control to Usergate services is also configured, and spoofing protection is enabled.
After configuring the interfaces, you need to configure the default route in the "Gateways" section. Those. to connect UserGate to the Internet, you must specify the IP address of one or more gateways. If several providers are used to connect to the Internet, then several gateways must be specified. The gateway setting is unique for each of the cluster nodes. If two or more gateways are specified, there are 2 options for working:
-
Balancing traffic between gateways.
-
The main gateway with switching to a spare.
Gateway status (available - green, unavailable - red) is defined as follows:
-
Network check disabled - a gateway is considered available if UserGate can obtain its MAC address using an ARP request. Internet access through this gateway is not checked. If the MAC address of the gateway cannot be determined, the gateway is considered unreachable.
-
Network Check Enabled - Gateway is considered available if:
-
UserGate can obtain its MAC address using an ARP request.
-
Checking for Internet access through this gateway was successful.
Otherwise, the gateway is considered unreachable.
In the "DNS" section, you need to add the DNS servers that UserGate will use. This setting is specified in the System DNS servers area. Below are the settings for managing DNS queries from users. UserGate allows you to use DNS proxies. The DNS proxy service allows you to intercept DNS requests from users and modify them depending on the needs of the administrator. Using DNS proxy rules, you can specify the DNS servers to which queries for specific domains are forwarded. In addition, using a DNS proxy, you can set static records of the host type (A-record).
In the "NAT and Routing" section, you need to create the necessary NAT rules. To access the Internet for users of the Trusted network, the NAT rule has already been created - βTrusted-> Untrustedβ, it remains only to enable it. Rules are applied from top to bottom in the order in which they appear in the console. Only the first rule is always executed, for which the conditions specified in the rule match. For the rule to be triggered, all the conditions specified in the rule parameters must match. UserGate recommends creating general NAT rules, for example, a NAT rule from the local network (usually the Trusted zone) to the Internet (usually the Untrusted zone), and restricting access by users, services, applications using firewall rules.
It is also possible to create DNAT rules, port forwarding, Policy-based routing, Network mapping.
After that, in the "Firewall" section, you need to create firewall rules. For unlimited access to the Internet for users of the Trusted network, a firewall rule has also already been created - βInternet for Trustedβ and must be enabled. Using firewall rules, the administrator can allow or deny any type of transit network traffic passing through UserGate. Rule conditions can be zones and source/destination IP addresses, users and groups, services and applications. The rules are applied in the same way as in the "NAT and Routing" section, i.e. top down. If no rules are created, then any transit traffic through UserGate is prohibited.
4. ΠΠ°ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅
This article has come to an end. We installed the UserGate firewall on the virtual machine and made the minimum necessary settings for the Internet to work in the Trusted network. Further configuration will be considered in the following articles.
Stay tuned for updates in our channels (, , , )!
Source: habr.com