Contact UsGet started

Setting up a UserGate firewall

Written by
Improved by
Updated at March 14, 2025

UserGate is a next-generation firewall created by the Russia-based company UserGate.

In this tutorial, you will create and configure a Yandex Cloud VM running the UserGate firewall. To learn more about UserGate, sign up to our free course UserGate Getting Started.

To set up UserGate and test its work:

  1. Get your cloud ready.
  2. Create a cloud network with a subnet.
  3. Reserve a static public IP address.
  4. Create a UserGate VM.
  5. Set up the UserGate NGFW.
  6. Configure subnet routing.
  7. Test the firewall.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the UserGate firewall infrastructure includes:

Create a cloud network with a subnet

Create a cloud network with a subnet in the availability zone where your VM will reside.

  1. On the folder dashboard in the management console, click Create resource and select Network.
  2. Specify the network name: usergate-network.
  3. Enable the Create subnets option.
  4. Click Create network.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

  1. Create a network named usergate-network:

    yc vpc network create usergate-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:25:03Z"
name: usergate-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create a subnet named usergate-subnet-ru-central1-d in the ru-central1-d availability zone:

    yc vpc subnet create usergate-subnet-ru-central1-d \
  --zone ru-central1-d \
  --network-name usergate-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:27:00Z"
name: usergate-subnet-ru-central1-d
network_id: enptrcle5q3d********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. Specify the usergate-network and its subnet settings in the terraform configuration file:

    resource "yandex_vpc_network" "usergate-network" {
  name = "usergate-network"
}

resource "yandex_vpc_subnet" {
  name           = "usergate-subnet-ru-central1-d"
  zone           = "ru-central1-d"
  network_id     = "${yandex_vpc_network.usergate-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

    For more information, see the yandex_vpc_network and yandex_vpc_subnet resource descriptions in the Terraform provider documentation.

  2. Make sure your configuration files are correct.

    1. In the terminal, navigate to your configuration file directory.

    2. Run a check using this command:

      terraform plan

    If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  3. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm the changes, type yes and press Enter.

  1. To create usergate-network, use the NetworkService/Create gRPC API call or the create REST API method for the Network resource.
  2. To create the usergate-subnet-ru-central1-d subnet, use the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.

Reserve a static public IP address

Your gateway will need a static public IP address.

  1. In the management console, navigate to the folder where you want to reserve your IP address.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-d availability zone.
  6. Click Reserve address.

Run this command:

yc vpc address create --external-ipv4 zone=ru-central1-d

Result:

id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
  address: 178.154.253.52
  zone_id: ru-central1-d
  requirements: {}
reserved: true

For more information about the yc vpc address create command, see the CLI reference.

In the configuration file, specify the yandex_vpc_address settings:

resource "yandex_vpc_address" "usergate-addr" {
name = "usergate-addr"
external_ipv4_address {
  zone_id = "ru-central1-d"
  }
}

For more information, see the vpc_address resource description in the Terraform provider documentation.

Create a UserGate VM

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, in the Product search field, type UserGate NGFW and select the UserGate NGFW image.

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 4
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB

    Note

    These settings will suffice for the gateway functional testing. For the production environment, use these UserGate official recommendations.

  5. Under Network settings:

    • In the Subnet field, select usergate-network and the usergate-subnet-ru-central1-d subnet.
    • In the Public IP address field, click List and select the previously reserved IP address.

  6. Under Access, select the SSH key option, and specify the VM access credentials:

    • Under Login, specify a username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  7. Under General information, specify the VM name: usergate-firewall.

  8. Click Create VM.

  1. Create an SSH key pair.

  2. Run this command:

    yc compute instance create \
  --name usergate-firewall \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-d \
  --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
  --ssh-key <path_to_public_part_of_SSH_key> \
  --public-address=<reserved_IP_address>

    Result:

    id: fhm2na1siftp********
folder_id: b1g86q4m5vej********
created_at: "2022-06-09T11:15:52Z"
name: usergate-firewall
zone_id: ru-central1-d
platform_id: standard-v2
resources:
  memory: "8589934592"
  cores: "4"
  core_fraction: "100"
status: RUNNING
boot_disk:
  mode: READ_WRITE
  device_name: fhmiq60rni2t********
  auto_delete: true
  disk_id: fhmiq60rni2t********
network_interfaces:
- index: "0"
  mac_address: d0:0d:2b:a8:3c:93
  subnet_id: e9bqlr188as7********
  primary_v4_address:
    address: 10.1.0.27
    one_to_one_nat:
      address: 51.250.72.1
      ip_version: IPV4
fqdn: fhm2na1siftp********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance create command, see the CLI reference.

  1. In the list of public images, select the latest version of the UserGate NGFW and get its ID.

  2. Describe the usergate-firewall VM settings in the terraform configuration file:

    resource "yandex_compute_disk" "boot-disk" {
  name     = "boot-disk"
  type     = "network-hdd"
  zone     = "ru-central1-d"
  size     = "110"
  image_id = "<UserGate_NGFW_image_ID>"
}

resource "yandex_compute_instance" "usergate-firewall" {
  name        = "usergate-firewall"
  platform_id = "standard-v3"
  zone        = "ru-central1-d"
  hostname    = "usergate"
  resources {
    cores         = 4
    core_fraction = 100
    memory        = 8
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk.id
  }

  network_interface {
    subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
    nat                = true
    nat_ip_address     = <reserved_IP_address>
  }

    For more information, see the yandex_compute_instance resource description in the Terraform provider documentation.

  3. Make sure your configuration files are correct.

    1. In the terminal, navigate to the configuration file directory.

    2. Run a check using this command:

      terraform plan

    If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  4. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm the changes, type yes and press Enter.

To create the usergate-firewall VM, use the create REST API method for the Instance resource.

Set up the UserGate NGFW

Open the UserGate NGFW admin console at https://<UserGate_VM_public_IP_address>:8001 and log in with the default credentials: Admin for username and utm for password.

Once you log in, the system will prompt you to change the default password and update the OS.

Set up your gateway to work as firewall

Configure UserGate NGFW:

  1. In the top menu, select Settings.
  2. In the left menu, navigate to NetworkZones.
  3. Click the Trusted zone.
  4. Click Access control, then enable Administration console. Click Save.
  5. In the left menu, navigate to NetworkInterfaces.
  6. Click the port0 network interface.
  7. On the General tab, in the Zone field, select Trusted from the list. Click Save.
  8. In the left menu, click Network policiesFirewall.
  9. Click the Allow trusted to untrusted preset rule.
  10. Navigate to the Destination tab and disable the Untrusted zone. Click Save.
  11. Enable the Allow trusted to untrusted rule by selecting it and clicking Enable at the top of the screen.
  12. In the left menu, click Network policiesNAT and routing.
  13. Click the NAT from Trusted to Untrusted preset rule.
  14. Navigate to the Destination tab and change the destination zone from Untrusted to Trusted. Click Save.
  15. Enable the NAT from Trusted to Untrusted rule by selecting it and clicking Enable at the top of the screen.

Now you configured the gateway.

Configure traffic filtering rules

We recommend using the Block to botnets, Block from botnets, and Example block RU RKN by IP list default policies with customized settings:

  1. Click Network policiesFirewall.
  2. Click the name of the preset default policy from the list above.
  3. Navigate to the Source tab and change the source zone from Untrusted to Trusted.
  4. Navigate to the Destination tab and disable the Untrusted zone.
  5. Click Save.
  6. Enable the rule by selecting it and clicking Enable at the top of the screen.

Add more rules to enhance security:

  1. Click Network policiesFirewall.

  2. Add the first blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block QUIC protocol
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Service.

    5. Click Add.

    6. Select Quick UDP Internet Connections and click Add and then Close.

    7. Click Save.

  3. Add the second blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block Windows updates
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Applications.

    5. Click AddAdd applications.

    6. Select Microsoft Update and click Add.

    7. Select WinUpdate and click Add and then Close.

    8. Click Save.

You can add more traffic filtering rules. When doing that, avoid combining services and applications in the same rule; otherwise, it might not trigger.

Configure subnet routing

Create a static route:

  1. In the management console, navigate to the folder where you want to create a static route.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Route tables.

  4. Click Create.

  5. Specify the route table name meeing the following requirements:

    • It must be 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  6. Optionally, specify the route table description.

  7. Select usergate-network.

  8. Click Add route.

  9. In the window that opens, specify the destination subnet prefix (0.0.0.0) and select 0 from the drop-down list.

  10. In the next hop field, specify the usergate-firewall internal IP address.

  11. Click Add.

  12. Click Create route table.

Link your route table to a subnet that will use its static routes:

  1. In the left-hand panel, select Subnets.
  2. Click next to usergate-subnet-ru-central1-d.
  3. In the menu that opens, select Link route table.
  4. In the window that opens, select your route table from the list.
  5. Click Link.

To create a route table with static routes:

  1. Read the route-table create command description:

    yc vpc route-table create --help

  2. Get your cloud network ID:

    yc vpc network list

    Result:

    +----------------------+--------------------+
|          ID          |      NAME          |
+----------------------+--------------------+
| enp846vf5fus******** | usergate-network   |
+----------------------+--------------------+

  3. Create a usergate-network route table:

    yc vpc route-table create \
  --name=test-route-table \
  --network-id=enp846vf5fus******** \
  --route destination=0.0.0.0/0,next-hop=10.129.0.24

    Where:

    • name: Route table name.
    • network-id: Route table network ID.
    • route: Route settings:
      • destination: Destination CIDR block.
      • next-hop: usergate-firewall internal IP address.

    Result:

    ...done
id: enpsi6b08q2v********
folder_id: b1gqs1teo2q2********
created_at: "2019-06-24T09:57:54Z"
name: test-route-table
network_id: enp846vf5fus********
static_routes:
- destination_prefix: 0.0.0.0/0
  next_hop_address: 10.129.0.24

Link your route table to a subnet that will use its static routes:

  1. Get a list your cloud subnets:

    yc vpc subnet list

    Result:

    +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
|          ID          |               NAME            |      NETWORK ID      |    ROUTE TABLE ID    |       ZONE    |      RANGE      |
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
| b0c4l3v9jrgd******** | usergate-subnet-ru-central1-d | enpjsdf771h0******** |                      | ru-central1-d | [10.130.0.0/24] |
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+

  2. Link the route table to the usergate-subnet-ru-central1-d web service-hosting subnet:

    yc vpc subnet update b0c4l3v9jrgd******** --route-table-id e2l5345dlgr1********

    Result:

    ..done
id: b0c4l3v9jrgd********
folder_id: b1gqs1teo2q2********
created_at: "2019-03-12T13:27:22Z"
name: subnet-1
network_id: enp846vf5fus********
zone_id: ru-central1-d
v4_cidr_blocks:
- 192.168.0.0/24
route_table_id: e2l5345dlgr1********

To create a route table with static routes:

  1. Describe the resources you want to create in the terraform configuration file:

    • name: Route table name. Meeting the following requirements:

      • It must be 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • network_id: Route table network ID.

    • static_route: Static route description:

      • destination_prefix: Destination CIDR block.
      • next_hop_address: gateway VM internal IP address serving as the next hop for the allowed traffic.

    Here is the configuration file example:

    resource "yandex_vpc_route_table" "usergate-rt-d" {
  name       = "<route_table_name>"
  network_id = "<network_ID>"
  static_route {
    destination_prefix = "0.0.0.0/0"
    next_hop_address   = "10.129.0.24"
  }
}

    To add, update, or delete a route table, use the yandex_vpc_route_table resource and specify its network ID in the netword id field, e.g. network_id = "${yandex_vpc_network.lab-net.id}".

    For more information about the yandex_vpc_route_table Terraform resource properties, see the provider documentation.

  2. Make sure your configuration files are correct.

    1. In the terminal, navigate to your configuration file directory.

    2. Run a check using this command:

      terraform plan

    If your configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  3. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm the changes, type yes and press Enter.

      Terraform will create your resources in the specified folder. You can see their detailed description using the management console or this CLI command:

      yc vpc route-table list

Test the firewall

To test the firewall, we will create a test web service and check whether we can access it from the internet.

Set up a test VM

  1. Create a Linux-running VM in the usergate-subnet-ru-central1-d subnet and enable the serial console in its settings.

  2. Connect to the VM by running the following CLI command:

    yc compute connect-to-serial-port --instance-name <VM_name>

    Where:
    --instance-name: Test VM name.

  3. Start the test web service:

    sudo python3 -m http.server 80

    The web server will listen on port 80 and return the contents of the httpdocs directory.

Set up the web server reverse proxy on your firewall

  1. In the UserGate admin web UI, select Settings from the top menu.

  2. In the Global portal section on the left, select Web portal, and set up HTTP access to the gateway:

    1. Click Add to open the new portal dialog.
    2. Tick the Enabled option.
    3. In the Name field, specify Test web portal.
    4. In the URL field, specify http://<UserGate_VM_IP_address>.
    5. In the SSL profile field, leave the default value.
    6. In the Certificate field, select CA (Default).
    7. Click Save.

  3. Select Reverse proxy servers and add a new server:

    1. Click Add to open the new server dialog.
    2. In the Name field, specify Local server.
    3. In the Server address field, specify the test web server VM IP address, e.g., 10.129.0.24.
    4. In the Port field, specify 80.
    5. Click Save.

  4. Select Reverse proxy rules and add a new rule:

    1. Click Add to open the new rule dialog.
    2. Tick the Enabled option.
    3. In the Name field, specify Access to local server.
    4. In the Reverse proxy server field, select Local server.
    5. In the Ports field, specify 5550.
    6. Click Save.

    Now you configured access to your test web server. The firewall will forward requests on port 5550 to the test VM IP address on port 80.

Check whether your web server is accessible from the internet

  1. Make an HTTP request to your server by opening the following address in your browser:

    http://<IP_address_of_UserGate_VM>:5550

    You should see the contents of your httpdocs folder.

  2. In the top menu of the UserGate admin web UI, select Logs and reports.

  3. In the Logs section on the left, select Web access log and find an entry about applying the Access to local server rule.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the usergate-firewall and local-service VMs.
  2. Delete the static public IP address.
Previous
Secure user access to cloud resources based on WireGuard VPN
Next
Implementing fault-tolerant scenarios for network VMs