Creating and configuring a UserGate gateway in firewall mode
UserGate
You will create a UserGate virtual machine in Yandex Cloud and set up the gateway for firewall mode. To learn about advanced UserGate features, take the free course UserGate Getting Started
To deploy a UserGate gateway and check its health:
- Prepare your cloud.
- Create a cloud network and subnet.
- Reserve a static public IP address.
- Create a UserGate VM.
- Set up the UserGate NGFW via the admin console.
- Set up routing in the subnet.
- Test the firewall.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The price for the UserGate gateway includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using UserGate NGFW.
- Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
Create a cloud network and subnet
Create a cloud network with subnets in the availability zones that will host your VM.
- On the folder page in the management console
, click Create resource and select Network. - Enter a name for the network:
usergate-network
. - Enable the Create subnets option.
- Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a network named
usergate-network
:yc vpc network create usergate-network
Result:
id: enptrcle5q3d******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:25:03Z" name: usergate-network default_security_group_id: enpbsnnop4ak********
For more information about the
yc vpc network create
command, see the CLI reference. -
Create a subnet named
usergate-subnet-ru-central1-d
in theru-central1-d
availability zone:yc vpc subnet create usergate-subnet-ru-central1-d \ --zone ru-central1-d \ --network-name usergate-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:27:00Z" name: usergate-subnet-ru-central1-d network_id: enptrcle5q3d******** zone_id: ru-central1-d v4_cidr_blocks: - 10.1.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference.
-
In the configuration file, describe the network parameters for
usergate-network
and its subnets:resource "yandex_vpc_network" "usergate-network" { name = "usergate-network" } resource "yandex_vpc_subnet" { name = "usergate-subnet-ru-central1-d" zone = "ru-central1-d" network_id = "${yandex_vpc_network.usergate-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] }
For more information, see the descriptions of the yandex_vpc_network
and yandex_vpc_subnet resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
- Create a network named
usergate-network
using the NetworkService/Create gRPC API call or the create REST API method for the Network resource. - Create a subnet named
usergate-subnet-ru-central1-d
using the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.
Reserve a static public IP address
The gateway will need a static public IP address.
- In the management console
, go to the page of the folder you want to reserve an IP address in. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-d
availability zone. - Click Reserve address.
Run this command:
yc vpc address create --external-ipv4 zone=ru-central1-d
Result:
id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
address: 178.154.253.52
zone_id: ru-central1-d
requirements: {}
reserved: true
For more information about the yc vpc address create
command, see the CLI reference.
In the configuration file, describe the parameters of the yandex_vpc_address
public IP address:
resource "yandex_vpc_address" "usergate-addr" {
name = "usergate-addr"
external_ipv4_address {
zone_id = "ru-central1-d"
}
}
For more information, see the vpc_address
Create a UserGate VM
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image, in the Product search field, enter
UserGate NGFW
and select the UserGate NGFW image. -
Under Location, select the
ru-central1-d
availability zone. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
. - vCPU:
4
. - Guaranteed vCPU performance:
100%
- RAM:
8 GB
Note
These parameters are appropriate for functional testing of the gateway. To calculate the parameters for the production workload, read the UserGate official recommendations
. - Platform:
-
Under Network settings:
- In the Subnet field, select a network named
usergate-network
and a subnet namedusergate-subnet-ru-central1-d
. - In the Public IP field, click
List
and select the IP address reserved earlier.
- In the Subnet field, select a network named
-
Under Access, select SSH key and specify the VM access data:
- Under Login, enter the username. Do not use
root
or other names reserved by the OS. To perform operations requiring superuser permissions, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, enter the username. Do not use
-
Under General information, specify the VM name:
usergate-firewall
. -
Click Create VM.
-
Create an SSH key pair.
-
Run this command:
yc compute instance create \ --name usergate-firewall \ --memory 8 \ --cores 4 \ --zone ru-central1-d \ --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \ --ssh-key <path_to_public_part_of_SSH_key> \ --public-address=<reserved_IP_address>
Result:
id: fhm2na1siftp******** folder_id: b1g86q4m5vej******** created_at: "2022-06-09T11:15:52Z" name: usergate-firewall zone_id: ru-central1-d platform_id: standard-v2 resources: memory: "8589934592" cores: "4" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmiq60rni2t******** auto_delete: true disk_id: fhmiq60rni2t******** network_interfaces: - index: "0" mac_address: d0:0d:2b:a8:3c:93 subnet_id: e9bqlr188as7******** primary_v4_address: address: 10.1.0.27 one_to_one_nat: address: 51.250.72.1 ip_version: IPV4 fqdn: fhm2na1siftp********.auto.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
For more information about the
yc compute instance create
command, see the CLI reference.
-
Get an ID of the latest version of the UserGate NGFW gateway from the list of public images.
-
In the configuration file, describe the parameters of the
usergate-firewall
VM:resource "yandex_compute_disk" "boot-disk" { name = "boot-disk" type = "network-hdd" zone = "ru-central1-d" size = "110" image_id = "<UserGate_NGFW_image_ID>" } resource "yandex_compute_instance" "usergate-firewall" { name = "usergate-firewall" platform_id = "standard-v3" zone = "ru-central1-d" hostname = "usergate" resources { cores = 4 core_fraction = 100 memory = 8 } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } network_interface { subnet_id = "${yandex_vpc_subnet.usergate-subnet.id}" nat = true nat_ip_address = <reserved_IP_address> }
For more information, see the yandex_compute_instance
resource description in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder with the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
Create the usergate-firewall
VM using the create REST API method for the Instance resource.
Set up the UserGate NGFW via the admin console
To set up the gateway, go to the UserGate NGFW admin console at https://<UserGate_VM_public_IP_address>:8001
and log in with the default credentials: Admin
for username and utm
for password.
When you are logged in, the system prompts you to change the default password and update the OS.
Set up the gateway to run in firewall mode
Configure UserGate NGFW:
- In the top menu, select Settings.
- In the menu on the left, go to Network ⟶ Zones.
- Click the
Trusted
zone name. - Click Access control, then enable Administration console. Click Save.
- In the menu on the left, go to Network ⟶ Interfaces.
- Click the
port0
network interface name. - On the General tab, select the
Trusted
zone from the list in the Zone field. Click Save. - In the menu on the left, click Network policies ⟶ Firewall.
- Click the name of the
Allow trusted to untrusted
preset rule. - Go to the Destination tab and disable the
Untrusted
zone. Click Save. - Enable the
Allow trusted to untrusted
rule. To do this, select the line with the rule and click Enable at the top of the screen. - In the menu on the left, click Network policies ⟶ NAT and routing.
- Click the name of the
NAT from Trusted to Untrusted
preset rule. - Go to the Destination tab and change the destination zone from
Untrusted
toTrusted
. Click Save. - Enable the
NAT from Trusted to Untrusted
rule. To do this, select the line with the rule and click Enable at the top of the screen.
Now the gateway has been set up.
Set up the traffic filtering rules
We recommend using the following default policies: Block to botnets
, Block from botnets
, and Example block RU RKN by IP list
. First change several parameters in them:
- Click Network policies ⟶ Firewall.
- Click the name of the preset rule.
- Go to the Source tab and change the source zone from
Untrusted
toTrusted
. - Go to the Destination tab and disable the
Untrusted
zone. - Click Save.
- Enable the selected rule. To do this, select the line with the rule and click Enable at the top of the screen.
For higher security, set up more traffic filtering rules:
-
Click Network policies ⟶ Firewall.
-
Add the first blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block QUIC protocol
. - Action: Deny.
- Name:
-
Go to the Source tab and select
Trusted
. -
Click Service.
-
Click Add.
-
Select
Quick UDP Internet Connections
and click Add. After that, click Close. -
Click Save.
-
-
Add the second blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block Windows updates
. - Action: Deny.
- Name:
-
Go to the Source tab and select
Trusted
. -
Click Applications.
-
Click Add ⟶ Add applications.
-
Select the
Microsoft Update
app and click Add. -
Select the
WinUpdate
app and click Add. After that, click Close. -
Click Save.
-
You can also add other traffic filtering rules. We don't recommend combining services and applications in the same rule. The rule might not trigger in this case.
Set up routing for the subnet
Create a static route:
-
In the management console
, go to the folder you need to create a static route in. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Route tables. -
Click Create.
-
Enter a name for the route table. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Add a description of a route table.
-
Select the
usergate-network
network. -
Click Add route.
-
In the window that opens, enter the prefix for the target subnet (
0.0.0.0
) and select0
from the drop-down list. -
Specify next hop, i.e., the internal IP address of the UserGate VM named
usergate-firewall
. -
Click Add.
-
Click Create route table.
To use static routes, link the route table to a subnet:
- In the left-hand panel, select
Subnets. - In the
usergate-subnet-ru-central1-d
row, click . - In the menu that opens, select Link route table.
- In the window that opens, select the created table from the list.
- Click Link.
To create a route table and add static routes:
-
View the description of the CLI command for creating route tables:
yc vpc route-table create --help
-
Get the IDs of cloud networks in your cloud:
yc vpc network list
Result:
+----------------------+--------------------+ | ID | NAME | +----------------------+--------------------+ | enp846vf5fus******** | usergate-network | +----------------------+--------------------+
-
Create a route table in the
usergate-network
network:yc vpc route-table create \ --name=test-route-table \ --network-id=enp846vf5fus******** \ --route destination=0.0.0.0/0,next-hop=10.129.0.24
Where:
name
: Name of the route table.network-id
: ID of the network where the table will be created.route
: Route settings, which include these two parameters:destination
: Destination subnet prefix in CIDR notation.next-hop
: Internal IP address of the UserGate VM namedusergate-firewall
.
Result:
...done id: enpsi6b08q2v******** folder_id: b1gqs1teo2q2******** created_at: "2019-06-24T09:57:54Z" name: test-route-table network_id: enp846vf5fus******** static_routes: - destination_prefix: 0.0.0.0/0 next_hop_address: 10.129.0.24
To use static routes, link the route table to a subnet:
-
Get a list of subnets in your cloud:
yc vpc subnet list
Result:
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | ID | NAME | NETWORK ID | ROUTE TABLE ID | ZONE | RANGE | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+ | b0c4l3v9jrgd******** | usergate-subnet-ru-central1-d | enpjsdf771h0******** | | ru-central1-d | [10.130.0.0/24] | +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
-
Assign the routing table to the subnet the web service will run in, e.g.,
usergate-subnet-ru-central1-d
:yc vpc subnet update b0c4l3v9jrgd******** --route-table-id e2l5345dlgr1********
Result:
..done id: b0c4l3v9jrgd******** folder_id: b1gqs1teo2q2******** created_at: "2019-03-12T13:27:22Z" name: subnet-1 network_id: enp846vf5fus******** zone_id: ru-central1-d v4_cidr_blocks: - 192.168.0.0/24 route_table_id: e2l5345dlgr1********
To create a route table and add static routes:
-
In the configuration file, describe the parameters of the resources you want to create:
-
name
: Name of the route table. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
network_id
: ID of the network the table will be created in. -
static_route
: Static route description:destination_prefix
: Destination subnet prefix in CIDR notation.next_hop_address
: Internal IP address of the VM from the allowed ranges the traffic will be routed through.
Here is an example of the configuration file structure:
resource "yandex_vpc_route_table" "usergate-rt-d" { name = "<route_table_name>" network_id = "<network_ID>" static_route { destination_prefix = "0.0.0.0/0" next_hop_address = "10.129.0.24" } }
To add, update, or delete a route table, use the
yandex_vpc_route_table
resource indicating the network in thenetword id
field, e.g.network_id = "${yandex_vpc_network.lab-net.id}"
.For more information about the
yandex_vpc_route_table
resource parameters in Terraform, see the provider documentation . -
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
or this CLI command:yc vpc route-table list
-
Test the firewall
To test your firewall, create a test web service and make sure that you can access it from the internet.
Set up a test VM
-
Create a VM from a public Linux image in the
usergate-subnet-ru-central1-d
subnet. In the VM settings, enable the serial console. -
To connect to the VM via the CLI, run the command:
yc compute connect-to-serial-port --instance-name <VM_name>
Where:
--instance-name
: Test VM name. -
Start the test web service:
sudo python3 -m http.server 80
The web server will listen to requests on port 80 and return a list of directories and files from the folder.
Use the firewall to set up a reverse proxy to the web service
-
In the UserGate administrator web console, in the top menu, select Settings.
-
On the left in the Global portal section, select Web portal, and set up access by an HTTP address:
- Click Add to open the portal adding dialog.
- Tick the Enabled option on.
- In the Name field, enter
Test web portal
. - In the URL field, enter
http://<UserGate_VM_IP_address>
. - Leave SSL profile at default.
- In the Certificate field, select
CA (Default)
. - Click Save.
-
Select Reverse proxy servers and add a new server:
- Click Add to open the server adding dialog.
- In the Name field, enter
Local server
. - In the Server address field, enter
<test_VM_internal_IP>
, e.g.,10.129.0.24
. - In the Port field, enter
80
. - Click Save.
-
Select Reverse proxy rules and add a new rule:
- Click Add to open the rule adding dialog.
- Tick the Enabled option on.
- In the Name field, enter
Access to local server
. - In the Reverse proxy server field, select
Local server
. - In the Ports field, enter
5550
. - Click Save.
This completes setting up access to a local server. The firewall will accept requests on port 5550 and forward them to port 80 on the test VM IP address.
Test that the web server is available from the internet
-
Make sure that you can execute a request against the web service at the URL:
http://<IP_address_of_UserGate_VM>:5550
This should return a list of directories and files in the folder.
-
In the UserGate administrator web console, in the top menu, select Logs and reports.
-
On the left side of the Logs section, select Web access log and make sure that you can see an entry about executing the
Access to local server
rule.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the
usergate-firewall
andlocal-service
VMs. - Delete the static public IP address.