Setting up a UserGate firewall
UserGate is a next-generation firewall created by the Russia-based company UserGate.
In this tutorial, you will create and configure a Yandex Cloud VM running the UserGate firewall. To learn more about UserGate, sign up to our free course UserGate Getting Started.
To set up UserGate and test its work:
- Get your cloud ready.
- Create a cloud network with a subnet.
- Reserve a static public IP address.
- Create a UserGate VM.
- Set up the UserGate NGFW.
- Configure subnet routing.
- Test the firewall.
If you no longer need the resources you created, delete them.
Getting started
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The cost of the UserGate firewall infrastructure includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using UserGate NGFW.
- Fee for a public static IP address (see Yandex Virtual Private Cloud pricing).
Create a cloud network with a subnet
Create a cloud network with a subnet in the availability zone where your VM will reside.
- On the folder dashboard in the management console, click Create resource and select Network.
- Specify the network name:
usergate-network. - Enable the Create subnets option.
- Click Create network.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Create a network named
usergate-network:yc vpc network create usergate-networkResult:
id: enptrcle5q3d******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:25:03Z" name: usergate-network default_security_group_id: enpbsnnop4ak********For more information about the
yc vpc network createcommand, see the CLI reference. -
Create a subnet named
usergate-subnet-ru-central1-din theru-central1-davailability zone:yc vpc subnet create usergate-subnet-ru-central1-d \ --zone ru-central1-d \ --network-name usergate-network \ --range 10.1.0.0/16Result:
id: e9bnnssj8sc8******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:27:00Z" name: usergate-subnet-ru-central1-d network_id: enptrcle5q3d******** zone_id: ru-central1-d v4_cidr_blocks: - 10.1.0.0/16For more information about the
yc vpc subnet createcommand, see the CLI reference.
-
Specify the
usergate-networkand its subnet settings in the terraform configuration file:resource "yandex_vpc_network" "usergate-network" { name = "usergate-network" } resource "yandex_vpc_subnet" { name = "usergate-subnet-ru-central1-d" zone = "ru-central1-d" network_id = "${yandex_vpc_network.usergate-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] }For more information, see the yandex_vpc_network and yandex_vpc_subnet resource descriptions in the Terraform provider documentation.
-
Make sure your configuration files are correct.
-
In the terminal, navigate to your configuration file directory.
-
Run a check using this command:
terraform plan
If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply -
When asked to confirm the changes, type
yesand press Enter.
-
- To create
usergate-network, use the NetworkService/Create gRPC API call or the create REST API method for the Network resource. - To create the
usergate-subnet-ru-central1-dsubnet, use the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.
Reserve a static public IP address
Your gateway will need a static public IP address.
- In the management console, navigate to the folder where you want to reserve your IP address.
- In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select IP addresses.
- Click Reserve address.
- In the window that opens, select the
ru-central1-davailability zone. - Click Reserve address.
Run this command:
yc vpc address create --external-ipv4 zone=ru-central1-d
Result:
id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
address: 178.154.253.52
zone_id: ru-central1-d
requirements: {}
reserved: true
For more information about the yc vpc address create command, see the CLI reference.
In the configuration file, specify the yandex_vpc_address settings:
resource "yandex_vpc_address" "usergate-addr" {
name = "usergate-addr"
external_ipv4_address {
zone_id = "ru-central1-d"
}
}
For more information, see the vpc_address resource description in the Terraform provider documentation.
Create a UserGate VM
-
On the folder page in the management console, click Create resource and select
Virtual machine instance. -
Under Boot disk image, in the Product search field, type
UserGate NGFWand select the UserGate NGFW image. -
Under Location, select the
ru-central1-davailability zone. -
Under Computing resources, navigate to the
Customtab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake - vCPU:
4 - Guaranteed vCPU performance:
100% - RAM:
8 GB
Note
These settings will suffice for the gateway functional testing. For the production environment, use these UserGate official recommendations.
- Platform:
-
Under Network settings:
- In the Subnet field, select
usergate-networkand theusergate-subnet-ru-central1-dsubnet. - In the Public IP address field, click
Listand select the previously reserved IP address.
- In the Subnet field, select
-
Under Access, select the SSH key option, and specify the VM access credentials:
- Under Login, specify a username. Do not use
rootor other reserved usernames. To perform operations requiring root privileges, use thesudocommand. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, specify a username. Do not use
-
Under General information, specify the VM name:
usergate-firewall. -
Click Create VM.
-
Create an SSH key pair.
-
Run this command:
yc compute instance create \ --name usergate-firewall \ --memory 8 \ --cores 4 \ --zone ru-central1-d \ --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \ --ssh-key <path_to_public_part_of_SSH_key> \ --public-address=<reserved_IP_address>Result:
id: fhm2na1siftp******** folder_id: b1g86q4m5vej******** created_at: "2022-06-09T11:15:52Z" name: usergate-firewall zone_id: ru-central1-d platform_id: standard-v2 resources: memory: "8589934592" cores: "4" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmiq60rni2t******** auto_delete: true disk_id: fhmiq60rni2t******** network_interfaces: - index: "0" mac_address: d0:0d:2b:a8:3c:93 subnet_id: e9bqlr188as7******** primary_v4_address: address: 10.1.0.27 one_to_one_nat: address: 51.250.72.1 ip_version: IPV4 fqdn: fhm2na1siftp********.auto.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}For more information about the
yc compute instance createcommand, see the CLI reference.
-
In the list of public images, select the latest version of the UserGate NGFW and get its ID.
-
Describe the
usergate-firewallVM settings in the terraform configuration file:resource "yandex_compute_disk" "boot-disk" { name = "boot-disk" type = "network-hdd" zone = "ru-central1-d" size = "110" image_id = "<UserGate_NGFW_image_ID>" } resource "yandex_compute_instance" "usergate-firewall" { name = "usergate-firewall" platform_id = "standard-v3" zone = "ru-central1-d" hostname = "usergate" resources { cores = 4 core_fraction = 100 memory = 8 } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } network_interface { subnet_id = "${yandex_vpc_subnet.usergate-subnet.id}" nat = true nat_ip_address = <reserved_IP_address> }For more information, see the yandex_compute_instance resource description in the Terraform provider documentation.
-
Make sure your configuration files are correct.
-
In the terminal, navigate to the configuration file directory.
-
Run a check using this command:
terraform plan
If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply -
When asked to confirm the changes, type
yesand press Enter.
-
To create the usergate-firewall VM, use the create REST API method for the Instance resource.
Set up the UserGate NGFW
Open the UserGate NGFW admin console at https://<UserGate_VM_public_IP_address>:8001 and log in with the default credentials: Admin for username and utm for password.
Once you log in, the system will prompt you to change the default password and update the OS.
Set up your gateway to work as firewall
Configure UserGate NGFW:
- In the top menu, select Settings.
- In the left menu, navigate to Network ⟶ Zones.
- Click the
Trustedzone. - Click Access control, then enable Administration console. Click Save.
- In the left menu, navigate to Network ⟶ Interfaces.
- Click the
port0network interface. - On the General tab, in the Zone field, select
Trustedfrom the list. Click Save. - In the left menu, click Network policies ⟶ Firewall.
- Click the
Allow trusted to untrustedpreset rule. - Navigate to the Destination tab and disable the
Untrustedzone. Click Save. - Enable the
Allow trusted to untrustedrule by selecting it and clicking Enable at the top of the screen. - In the left menu, click Network policies ⟶ NAT and routing.
- Click the
NAT from Trusted to Untrustedpreset rule. - Navigate to the Destination tab and change the destination zone from
UntrustedtoTrusted. Click Save. - Enable the
NAT from Trusted to Untrustedrule by selecting it and clicking Enable at the top of the screen.
Now you configured the gateway.
Configure traffic filtering rules
We recommend using the Block to botnets, Block from botnets, and Example block RU RKN by IP list default policies with customized settings:
- Click Network policies ⟶ Firewall.
- Click the name of the preset default policy from the list above.
- Navigate to the Source tab and change the source zone from
UntrustedtoTrusted. - Navigate to the Destination tab and disable the
Untrustedzone. - Click Save.
- Enable the rule by selecting it and clicking Enable at the top of the screen.
Add more rules to enhance security:
-
Click Network policies ⟶ Firewall.
-
Add the first blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule settings:
- Name:
Block QUIC protocol - Action: Deny
- Name:
-
Navigate to the Source tab and select
Trusted. -
Click Service.
-
Click Add.
-
Select
Quick UDP Internet Connectionsand click Add and then Close. -
Click Save.
-
-
Add the second blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule settings:
- Name:
Block Windows updates - Action: Deny
- Name:
-
Navigate to the Source tab and select
Trusted. -
Click Applications.
-
Click Add ⟶ Add applications.
-
Select
Microsoft Updateand click Add. -
Select
WinUpdateand click Add and then Close. -
Click Save.
-
You can add more traffic filtering rules. When doing that, avoid combining services and applications in the same rule; otherwise, it might not trigger.
Configure subnet routing
Create a static route:
-
In the management console, navigate to the folder where you want to create a static route.
-
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select Route tables.
-
Click Create.
-
Specify the route table name meeing the following requirements:
- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
Optionally, specify the route table description.
-
Select
usergate-network. -
Click Add route.
-
In the window that opens, specify the destination subnet prefix (
0.0.0.0) and select0from the drop-down list. -
In the next hop field, specify the
usergate-firewallinternal IP address. -
Click Add.
-
Click Create route table.
Link your route table to a subnet that will use its static routes:
- In the left-hand panel, select Subnets.
- Click next to
usergate-subnet-ru-central1-d. - In the menu that opens, select Link route table.
- In the window that opens, select your route table from the list.
- Click Link.
To create a route table with static routes:
-
Read the
route-table createcommand description:yc vpc route-table create --help -
Get your cloud network ID:
yc vpc network listResult:
+----------------------+--------------------+ | ID | NAME | +----------------------+--------------------+ | enp846vf5fus******** | usergate-network | +----------------------+--------------------+ -
Create a
usergate-networkroute table:yc vpc route-table create \ --name=test-route-table \ --network-id=enp846vf5fus******** \ --route destination=0.0.0.0/0,next-hop=10.129.0.24Where:
name: Route table name.network-id: Route table network ID.route: Route settings:destination: Destination CIDR block.next-hop:usergate-firewallinternal IP address.
Result:
...done id: enpsi6b08q2v******** folder_id: b1gqs1teo2q2******** created_at: "2019-06-24T09:57:54Z" name: test-route-table network_id: enp846vf5fus******** static_routes: - destination_prefix: 0.0.0.0/0 next_hop_address: 10.129.0.24
Link your route table to a subnet that will use its static routes:
-
Get a list your cloud subnets:
yc vpc subnet listResult:
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | ID | NAME | NETWORK ID | ROUTE TABLE ID | ZONE | RANGE | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | b0c4l3v9jrgd******** | usergate-subnet-ru-central1-d | enpjsdf771h0******** | | ru-central1-d | [10.130.0.0/24] | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ -
Link the route table to the
usergate-subnet-ru-central1-dweb service-hosting subnet:yc vpc subnet update b0c4l3v9jrgd******** --route-table-id e2l5345dlgr1********Result:
..done id: b0c4l3v9jrgd******** folder_id: b1gqs1teo2q2******** created_at: "2019-03-12T13:27:22Z" name: subnet-1 network_id: enp846vf5fus******** zone_id: ru-central1-d v4_cidr_blocks: - 192.168.0.0/24 route_table_id: e2l5345dlgr1********
To create a route table with static routes:
-
Describe the resources you want to create in the terraform configuration file:
-
name: Route table name. Meeting the following requirements:- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
network_id: Route table network ID. -
static_route: Static route description:destination_prefix: Destination CIDR block.next_hop_address: gateway VM internal IP address serving as the next hop for the allowed traffic.
Here is the configuration file example:
resource "yandex_vpc_route_table" "usergate-rt-d" { name = "<route_table_name>" network_id = "<network_ID>" static_route { destination_prefix = "0.0.0.0/0" next_hop_address = "10.129.0.24" } }To add, update, or delete a route table, use the
yandex_vpc_route_tableresource and specify its network ID in thenetword idfield, e.g.network_id = "${yandex_vpc_network.lab-net.id}".For more information about the
yandex_vpc_route_tableTerraform resource properties, see the provider documentation. -
-
Make sure your configuration files are correct.
-
In the terminal, navigate to your configuration file directory.
-
Run a check using this command:
terraform plan
If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply -
When asked to confirm the changes, type
yesand press Enter.Terraform will create your resources in the specified folder. You can see their detailed description using the management console or this CLI command:
yc vpc route-table list
-
Test the firewall
To test the firewall, we will create a test web service and check whether we can access it from the internet.
Set up a test VM
-
Create a Linux-running VM in the
usergate-subnet-ru-central1-dsubnet and enable the serial console in its settings. -
Connect to the VM by running the following CLI command:
yc compute connect-to-serial-port --instance-name <VM_name>Where:
--instance-name: Test VM name. -
Start the test web service:
sudo python3 -m http.server 80The web server will listen on port 80 and return the contents of the
httpdocsdirectory.
Set up the web server reverse proxy on your firewall
-
In the UserGate admin web UI, select Settings from the top menu.
-
In the Global portal section on the left, select Web portal, and set up HTTP access to the gateway:
- Click Add to open the new portal dialog.
- Tick the Enabled option.
- In the Name field, specify
Test web portal. - In the URL field, specify
http://<UserGate_VM_IP_address>. - In the SSL profile field, leave the default value.
- In the Certificate field, select
CA (Default). - Click Save.
-
Select Reverse proxy servers and add a new server:
- Click Add to open the new server dialog.
- In the Name field, specify
Local server. - In the Server address field, specify the test web server VM IP address, e.g.,
10.129.0.24. - In the Port field, specify
80. - Click Save.
-
Select Reverse proxy rules and add a new rule:
- Click Add to open the new rule dialog.
- Tick the Enabled option.
- In the Name field, specify
Access to local server. - In the Reverse proxy server field, select
Local server. - In the Ports field, specify
5550. - Click Save.
Now you configured access to your test web server. The firewall will forward requests on port 5550 to the test VM IP address on port 80.
Check whether your web server is accessible from the internet
-
Make an HTTP request to your server by opening the following address in your browser:
http://<IP_address_of_UserGate_VM>:5550You should see the contents of your
httpdocsfolder. -
In the top menu of the UserGate admin web UI, select Logs and reports.
-
In the Logs section on the left, select Web access log and find an entry about applying the
Access to local serverrule.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the
usergate-firewallandlocal-serviceVMs. - Delete the static public IP address.