Creating and configuring a UserGate gateway in firewall mode
UserGate
You will create a UserGate virtual machine in Yandex Cloud and set up the gateway for firewall mode. To learn about advanced UserGate features, take the free course UserGate Getting Started
To deploy a UserGate gateway and check its health:
- Prepare your cloud.
- Create a cloud network and subnet.
- Reserve a static public IP address.
- Create a UserGate VM.
- Set up the UserGate NGFW via the administrative console.
- Set up routing in the subnet.
- Test the firewall.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The price for the UserGate gateway includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using UserGate NGFW.
- Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
Create a cloud network and subnet
Create a cloud network with subnets in the availability zones that will host your VM.
- On the folder page in the management console
, click Create resource and select Network. - Enter the network name:
usergate-network
. - Enable the Create subnets option.
- Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a network named
usergate-network
:yc vpc network create usergate-network
Result:
id: enptrcle5q3d3ktd33hj folder_id: b1g9hv2loamqfnbul7d9 created_at: "2022-06-08T09:25:03Z" name: usergate-network default_security_group_id: enpbsnnop4akg7ng70ll
For more information about the
yc vpc network create
command, see the CLI reference. -
Create the
usergate-subnet-ru-central1-a
network in theru-central1-a
availability zone:yc vpc subnet create usergate-subnet-ru-central1-a \ --zone ru-central1-a \ --network-name usergate-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8mjhat9qk folder_id: b1g9hv2loamqfnbul7d9 created_at: "2022-06-08T09:27:00Z" name: usergate-subnet-ru-central1-a network_id: enptrcle5q3d3ktd33hj zone_id: ru-central1-a v4_cidr_blocks: - 10.1.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference.
-
In the configuration file, describe the network parameters for
usergate-network
and its subnets:resource "yandex_vpc_network" "usergate-network" { name = "usergate-network" } resource "yandex_vpc_subnet" { name = "usergate-subnet-ru-central1-a" zone = "ru-central1-a" network_id = "${yandex_vpc_network.usergate-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] }
Learn more in the description of the yandex_vpc_network
and yandex_vpc_subnet resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
- Create a network named
usergate-network
using the gRPC API NetworkService/Create call or the REST API create method for the Network resource. - Create a subnet named
usergate-subnet-ru-central1-a
using the SubnetService/Create gRPC API call or the REST API create method for the Subnet resource.
Reserve a static public IP address
The gateway will need a static public IP address.
- In the management console
, go to the page of the folder where you want to reserve an IP address. - In the list of services, select Virtual Private Cloud.
- On the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-a
availability zone. - Click Reserve address.
Run this command:
yc vpc address create --external-ipv4 zone=ru-central1-a
Result:
id: e9b6un9gkso6stdh6b3p
folder_id: b1g7gvsi89m34pipa3ke
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
address: 178.154.253.52
zone_id: ru-central1-a
requirements: {}
reserved: true
For more information about the yc vpc address create
command, see the CLI reference.
In the configuration file, describe the parameters of the public IP address yandex_vpc_address
:
resource "yandex_vpc_address" "usergate-addr" {
name = "usergate-addr"
external_ipv4_address {
zone_id = "ru-central1-b"
}
}
To learn more, see the vpc_address
Create a UserGate VM
-
On the management console
folder page, click Create resource and select Virtual machine. -
In the Name field, enter
usergate-firewall
as the VM name. -
Select the
ru-central1-a
availability zone. -
Under Image/boot disk selection, click the Cloud Marketplace tab, then select the UserGate NGFW image.
-
Under Computing resources:
-
Select the Intel Ice Lake platform.
-
Specify the required number of vCPUs and the amount of RAM:
- vCPU: 4
- Guaranteed vCPU share: 100%
- RAM: 8 GB
Note
These parameters are appropriate for functional testing of the gateway. To calculate the parameters for the production workload, read the UserGate official recommendations
.
-
-
Under Network settings:
- Select the
usergate-network
network and theusergate-subnet-ru-central1-a
subnet. - In the Public address field, select from a list of reserved IPs.
- Select the
-
Under Access, specify the information required to access the VM:
-
Enter the username in the Login field.
-
In the SSH key field, paste the contents of the public key file.
You will need to create a key pair for the SSH connection yourself; see Creating an SSH key pair for details.
-
-
Click Create VM.
-
Create an SSH key pair.
-
Run this command:
yc compute instance create \ --name usergate-firewall \ --memory 8 \ --cores 4 \ --zone ru-central1-a \ --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \ --ssh-key <path_to_public_part_of_SSH_hey> \ --public-address=<reserved_ID_address>
Result:
id: fhm2na1siftpfhrfc03l folder_id: b1g86q4m5vej8lkljme5 created_at: "2022-06-09T11:15:52Z" name: usergate-firewall zone_id: ru-central1-a platform_id: standard-v2 resources: memory: "8589934592" cores: "4" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmiq60rni2tqvjdiq3l auto_delete: true disk_id: fhmiq60rni2tqvjdiq3l network_interfaces: - index: "0" mac_address: d0:0d:2b:a8:3c:93 subnet_id: e9bqlr188as7rgsgh4kn primary_v4_address: address: 10.1.0.27 one_to_one_nat: address: 51.250.72.1 ip_version: IPV4 fqdn: fhm2na1siftpfhrfc03l.auto.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
For more information about the
yc compute instance create
command, see the CLI reference.
-
Get an ID of the latest version of the UserGate NGFW gateway from the list of public images.
-
In the configuration file, describe the parameters of the
usergate-firewall
VM:resource "yandex_compute_disk" "boot-disk" { name = "boot-disk" type = "network-hdd" zone = "ru-central1-a" size = "110" image_id = "<UserGate_NGFW_image_ID>" } resource "yandex_compute_instance" "usergate-firewall" { name = "usergate-firewall" platform_id = "standard-v3" zone = "ru-central1-a" hostname = "usergate" resources { cores = 4 core_fraction = 100 memory = 8 } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } network_interface { subnet_id = "${yandex_vpc_subnet.usergate-subnet.id}" nat = true nat_ip_address = <reserved_IP_address> }
To learn more, see the yandex_compute_instance
resource description in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder with the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
Create the usergate-proxy
VM using the REST API create method for the Instance resource.
Set up the UserGate NGFW via the administrative console
To set up the gateway, go to the UserGate NGFW administrative console at https://<public_IP_address_of_the_UserGate_VM>:8001
and log in with the default credentials: username: Admin
, password: utm
.
When you are logged in, the system prompts you to change the default password and update the OS.
Set up the gateway to run in firewall mode
Configure UserGate NGFW:
- In the top menu, select Settings.
- In the menu on the left, go to Network ⟶ Zones.
- Click on the
Trusted
zone name. - Click Access control, then enable Administration console. Click Save.
- In the menu on the left, go to Network ⟶ Interfaces.
- Click the
port0
network interface name. - In the General tab, in the Zone field, select the
Trusted
zone from the list. Click Save. - In the menu on the left, click Network policies ⟶ Firewall.
- Click the preset rule:
Allow trusted to untrusted
. - Click Destination and disable the
Untrusted
zone. Click Save. - Enable the rule:
Allow trusted to untrusted
. To do this, select the line with the rule and click Enable at the top of the screen. - In the menu on the left, click Network policies ⟶ NAT and routing.
- Click the preset rule:
NAT from trusted to untrusted
. - Click Destination and change the destination zone from
Untrusted
toTrusted
. Click Save. - Enable the rule:
NAT from Trusted to Untrusted
. To do this, select the line with the rule and click Enable at the top of the screen.
Now the gateway has been set up.
Set up the traffic filtering rules
We recommend that you use the following default policies: Block to botnets
, Block from botnets
, and Example block RU RKN by IP list
. First change several parameters in them:
- Click Network policies ⟶ Firewall.
- Click the name of the preset rule.
- Click Source and change the source zone from
Untrusted
toTrusted
. - Click Destination and disable the
Untrusted
zone. - Click Save.
- Enable the selected rule. To do this, select the line with the rule and click Enable at the top of the screen.
For higher security, set up more traffic filtering rules:
-
Click Network policies ⟶ Firewall.
-
Add the first blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block QUIC protocol
. - Action: Deny.
- Name:
-
Click Source and select
Trusted
. -
Click Service.
-
Click Add.
-
Select the service
Quick UDP Internet Connections
, then click Add. After that, click Close. -
Click Save.
-
-
Add the second blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block Windows updates
. - Action: Deny.
- Name:
-
Click Source and select
Trusted
. -
Click Applications.
-
Click Add ⟶ Add applications.
-
Select the
Microsoft Update
application, then click Add. -
Select the
WinUpdate
application, then click Add. After that, click Close. -
Click Save.
-
You can also add other traffic filtering rules. We don't recommend combining services and applications in the same rule. The rule might not trigger in this case.
Set up routing for the subnet .
Create a static route:
-
In the management console
, go to the folder where you need to create a static route. -
In the list of services, select Virtual Private Cloud.
-
On the left-hand panel, select
Route tables. -
Click Create.
-
Enter a name for the route table. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Add a description of a route table.
-
Select the
usergate-network
network. -
Click Add route.
-
In the window that opens, enter the prefix for the target subnet (
0.0.0.0
) and select0
from the drop-down list. -
Specify next hop, i.e., the internal IP address of the UserGate
usergate-firewall
VM. -
Click Add.
-
Click Create route table.
To use static routes, link the route table to a subnet:
- On the left-hand panel, select
Subnets. - In the
usergate-subnet-ru-central1-a
line, click . - In the menu that opens, select Link route table.
- In the window that opens, select the created table from the list.
- Click Link.
To create a routing table and add static routes:
-
View a description of the CLI command for creating routing tables:
yc vpc route-table create --help
-
Get the IDs of cloud networks in your cloud:
yc vpc network list
Result:
+----------------------+--------------------+ | ID | NAME | +----------------------+--------------------+ | enp846vf5fus0nt3lu83 | usergate-network | +----------------------+--------------------+
-
Create a routing table in the
usergate-network
network:yc vpc route-table create \ --name=test-route-table \ --network-id=enp846vf5fus0nt3lu83 \ --route destination=0.0.0.0/0,next-hop=10.129.0.24
Where:
name
: Name of the route table.network-id
: ID of the network where the table will be created.route
: Route settings with two parameters:destination
: Destination subnet prefix in CIDR notation.next hop
: Internal IP address of the UserGateusergate-firewall
VM.
Result:
...done id: enpsi6b08q2vfdmppsnb folder_id: b1gqs1teo2q2a4vnmi2t created_at: "2019-06-24T09:57:54Z" name: test-route-table network_id: enp846vf5fus0nt3lu83 static_routes: - destination_prefix: 0.0.0.0/0 next_hop_address: 10.129.0.24
To use static routes, link the route table to a subnet:
-
Get a list of subnets in your cloud:
yc vpc subnet list
Result:
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | ID | NAME | NETWORK ID | ROUTE TABLE ID | ZONE | RANGE | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | b0c4l3v9jrgdqve43902 | usergate-subnet-ru-central1-a | enpjsdf771h0c0fs7g5a | | ru-central1-a | [10.130.0.0/24] | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
-
Assign the routing table to the subnet where the web service will run: for example, to the
usergate-subnet-ru-central1-a
subnet:yc vpc subnet update b0c4l3v9jrgdqve43902 --route-table-id e2l5345dlgr1ugidhmov
Result:
..done id: b0c4l3v9jrgdqve43902 folder_id: b1gqs1teo2q2a4vnmi2t created_at: "2019-03-12T13:27:22Z" name: subnet-1 network_id: enp846vf5fus0nt3lu83 zone_id: ru-central1-a v4_cidr_blocks: - 192.168.0.0/24 route_table_id: e2l5345dlgr1ugidhmov
To create a routing table and add static routes:
-
In the configuration file, describe the parameters of the resources you want to create:
-
name
: Name of the route table. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
network-id
: ID of the network where the table will be created. -
static_route
: Static route description:destination_prefix
: Destination subnet prefix in CIDR notation.next_hop_address
: Internal IP address of the VM from the allowed ranges the traffic will be sent through.
Here is an example of the configuration file structure:
resource "yandex_vpc_route_table" "usergate-rt-a" { name = "<routing_table_name>" network_id = "<network_ID>" static_route { destination_prefix = "0.0.0.0/0" next_hop_address = "10.129.0.24" } }
To add, update, or delete a route table, use the
yandex_vpc_route_table
resource and specify the network in thenetword id
field (such asnetwork_id = "${yandex_vpc_network.lab-net.id}"
).For more information about the
yandex_vpc_route_table
resource parameters in Terraform, see the provider documentation . -
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
or this CLI command:yc vpc route-table list
-
Test the firewall
To test your firewall, create a test web service and make sure that you can access it from the internet.
Set up a test VM
-
Create a VM from a public Linux image in the
usergate-subnet-ru-central1-a
subnet. In the VM settings, enable the serial console. -
To connect to the VM via the CLI, run the command:
yc compute connect-to-serial-port --instance-name <VM_name>
Where
--instance-name
is the name of the test VM. -
Start the test web service:
sudo python3 -m http.server 80
The web server will listen to requests on port 80 and return a list of directories and files from the folder.
Use the firewall to set up a reverse proxy to the web service
-
In the UserGate administrator web console, in the top menu, select Settings.
-
On the left in the Global portal section, select Web portal, and set up access by an HTTP address:
- Click Add to open the portal adding dialog.
- Tick the Enabled option on.
- In the Name field, enter
Test web portal
. - In the URL field, enter
http://<IP_address_of_UserGate_VM>
. - Leave SSL profile at default.
- In the Certificate field, select
CA (Default)
. - Click Save.
-
Select Reverse proxy servers and add a new server:
- Click Add to open the server adding dialog.
- In the Name field, enter
Local server
. - In the Server address field, enter the
<internal_IP_of_test_VM>
, for example,10.129.0.24
. - In the Port field, enter
80
. - Click Save.
-
Select Reverse proxy rules and add a new rule:
- Click Add to open the rule adding dialog.
- Tick the Enabled option on.
- In the Name field, enter
Access to local server
. - In the Reverse proxy server field, select
Local server
. - In the Ports field, enter
5550
. - Click Save.
This completes setting up access to a local server. The firewall will accept requests on port 5550 and forward them to port 80 on the test VM IP address.
Test that the web server is available from the internet
-
Make sure that you can execute a request against the web service at the URL:
http://<IP_address_of_UserGate_VM>:5550
This should return a list of directories and files in the folder.
-
In the UserGate administrator web console, in the top menu, select Logs and reports.
-
On the left side of the Logs section, select Web access log and make sure that you can see an entry about executing the
Access to local server
rule.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the
usergate-firewall
andlocal-service
VMs. - Delete the static public IP address.