Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up a UserGate firewall

Written by
Improved by
Updated at November 28, 2025

UserGate is a next-generation firewall created by the Russia-based company UserGate.

In this tutorial, you will create and configure a Yandex Cloud VM running the UserGate firewall. To learn more about UserGate, sign up to our free course UserGate Getting Started.

To set up UserGate and test its work:

  1. Get your cloud ready.
  2. Create a cloud network with a subnet.
  3. Reserve a static public IP address.
  4. Create a UserGate VM.
  5. Set up the UserGate NGFW.
  6. Configure subnet routing.
  7. Test the firewall.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The cost of the UserGate firewall infrastructure includes:

Create a cloud network with a subnet

Create a cloud network with a subnet in the availability zone where your VM will reside.

  1. On the folder dashboard in the management console, click Create resource and select Network.
  2. Specify the network name: usergate-network.
  3. Enable the Create subnets option.
  4. Click Create network.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a network named usergate-network:

    yc vpc network create usergate-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:25:03Z"
name: usergate-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create the usergate-subnet-ru-central1-d subnet in the ru-central1-d availability zone:

    yc vpc subnet create usergate-subnet-ru-central1-d \
  --zone ru-central1-d \
  --network-name usergate-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:27:00Z"
name: usergate-subnet-ru-central1-d
network_id: enptrcle5q3d********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. Specify the usergate-network and its subnet settings in the terraform configuration file:

    resource "yandex_vpc_network" "usergate-network" {
  name = "usergate-network"
}

resource "yandex_vpc_subnet" {
  name           = "usergate-subnet-ru-central1-d"
  zone           = "ru-central1-d"
  network_id     = "${yandex_vpc_network.usergate-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

    For more information, see the yandex_vpc_network and yandex_vpc_subnet descriptions in the Terraform provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

  1. To create usergate-network, use the NetworkService/Create gRPC API call or the create REST API method for the Network resource.
  2. To create the usergate-subnet-ru-central1-d subnet, use the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.

Reserve a static public IP address

Your gateway will need a static public IP address.

  1. In the management console, navigate to the folder where you want to reserve your IP address.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-d availability zone.
  6. Click Reserve address.

Run this command:

yc vpc address create --external-ipv4 zone=ru-central1-d

Result:

id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
  address: 178.154.253.52
  zone_id: ru-central1-d
  requirements: {}
reserved: true

For more information about the yc vpc address create command, see the CLI reference.

In the configuration file, specify the yandex_vpc_address settings:

resource "yandex_vpc_address" "usergate-addr" {
name = "usergate-addr"
external_ipv4_address {
  zone_id = "ru-central1-d"
  }
}

For more information, see the vpc_address resource description in the Terraform provider documentation.

Create a UserGate VM

  1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

  2. Select Advanced setup.

  3. Under Boot disk image, in the Product search field, type UserGate NGFW and select the UserGate NGFW image.

  4. Under Location, select the ru-central1-d availability zone.

  5. Under Computing resources, navigate to the Custom tab and specify the platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 4
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB

    Note

    These settings will suffice for the gateway functional testing. For the production environment, use the UserGate official recommendations.

  6. Under Network settings:

    • In the Subnet field, select usergate-network and the usergate-subnet-ru-central1-d subnet.
    • In the Public IP address field, click List and select the previously reserved IP address.

  7. Under Access, select the SSH key option, and specify the VM access credentials:

    • In the Login field, enter the username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  8. Under General information, specify the VM name: usergate-firewall.

  9. Click Create VM.

  1. Create an SSH key pair.

  2. Run this command:

    yc compute instance create \
  --name usergate-firewall \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-d \
  --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
  --ssh-key <path_to_public_part_of_SSH_key> \
  --public-address=<reserved_IP_address>

    Result:

    id: fhm2na1siftp********
folder_id: b1g86q4m5vej********
created_at: "2022-06-09T11:15:52Z"
name: usergate-firewall
zone_id: ru-central1-d
platform_id: standard-v2
resources:
  memory: "8589934592"
  cores: "4"
  core_fraction: "100"
status: RUNNING
boot_disk:
  mode: READ_WRITE
  device_name: fhmiq60rni2t********
  auto_delete: true
  disk_id: fhmiq60rni2t********
network_interfaces:
- index: "0"
  mac_address: d0:0d:2b:a8:3c:93
  subnet_id: e9bqlr188as7********
  primary_v4_address:
    address: 10.1.0.27
    one_to_one_nat:
      address: 51.250.72.1
      ip_version: IPV4
fqdn: fhm2na1siftp********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance create command, see the CLI reference.

  1. In the list of public images, select the latest version of the UserGate NGFW and get its ID.

  2. Describe the usergate-firewall VM settings in the terraform configuration file:

    resource "yandex_compute_disk" "boot-disk" {
  name     = "boot-disk"
  type     = "network-hdd"
  zone     = "ru-central1-d"
  size     = "110"
  image_id = "<UserGate_NGFW_image_ID>"
}

resource "yandex_compute_instance" "usergate-firewall" {
  name        = "usergate-firewall"
  platform_id = "standard-v3"
  zone        = "ru-central1-d"
  hostname    = "usergate"
  resources {
    cores         = 4
    core_fraction = 100
    memory        = 8
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk.id
  }

  network_interface {
    subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
    nat                = true
    nat_ip_address     = <reserved_IP_address>
  }

    For more information, see the yandex_compute_instance resource description in the Terraform provider documentation.

  3. Make sure your configuration files are correct.

    1. In the terminal, navigate to the configuration file directory.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  4. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

To create the usergate-firewall VM, use the create REST API method for the Instance resource.

Set up the UserGate NGFW

Open the UserGate NGFW admin console at https://<UserGate_VM_public_IP_address>:8001 and log in with the default credentials: Admin / utm.

Once you log in, the system will prompt you to change the default password and update the OS.

Set up your gateway to work as firewall

Configure UserGate NGFW:

  1. In the top menu, select Settings.
  2. In the left menu, navigate to NetworkZones.
  3. Click the Trusted zone.
  4. Click Access control, enable Administration console, and click Save.
  5. In the left menu, navigate to NetworkInterfaces.
  6. Click the port0 network interface.
  7. On the General tab, select Trusted in the Zone field and click Save.
  8. In the left menu, click Network policiesFirewall.
  9. Click the Allow trusted to untrusted preset rule.
  10. Navigate to the Destination tab and disable the Untrusted zone. Click Save.
  11. Enable the Allow trusted to untrusted rule by selecting it and clicking Enable at the top of the screen.
  12. In the left menu, click Network policiesNAT and routing.
  13. Click the NAT from Trusted to Untrusted preset rule.
  14. Navigate to the Destination tab and change the destination zone from Untrusted to Trusted. Click Save.
  15. Enable the NAT from Trusted to Untrusted rule by selecting it and clicking Enable at the top of the screen.

Now you configured the gateway.

Configure traffic filtering rules

We recommend using the Block to botnets, Block from botnets, and Example block RU RKN by IP list default policies with customized settings:

  1. Click Network policiesFirewall.
  2. Click the name of the preset default policy from the list above.
  3. Navigate to the Source tab and change the source zone from Untrusted to Trusted.
  4. Navigate to the Destination tab and disable the Untrusted zone.
  5. Click Save.
  6. Enable the selected rule by selecting it and clicking Enable at the top of the screen.

Add more rules to enhance security:

  1. Click Network policiesFirewall.

  2. Add the first blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block QUIC protocol
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Service.

    5. Click Add.

    6. Select Quick UDP Internet Connections, click Add, and then Close.

    7. Click Save.

  3. Add the second blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block Windows updates
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Applications.

    5. Click AddAdd applications.

    6. Select the Microsoft Update app and click Add.

    7. Select the WinUpdate app, click Add, and then Close.

    8. Click Save.

You can also add more traffic filtering rules. Avoid combining services and applications in the same rule. Doing so may make the rule inoperable.

Configure subnet routing

Create a static route:

  1. In the management console, navigate to the folder where you want to create a static route.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Route tables.

  4. Click Create.

  5. Specify the route table name Follow these naming requirements:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  6. Optionally, describe the route table.

  7. Select usergate-network.

  8. Click Add route.

  9. In the window that opens, specify the destination subnet prefix (0.0.0.0) and select 0 from the drop-down list.

  10. In the next hop field, specify the usergate-firewall internal IP address.

  11. Click Add.

  12. Click Create route table.

Link your route table to a subnet that will use its static routes:

  1. In the left-hand panel, select Subnets.
  2. Click next to usergate-subnet-ru-central1-d.
  3. In the menu that opens, select Link route table.
  4. In the window that opens, select your route table from the list.
  5. Click Link.

To create a route table with static routes:

  1. View the description of the CLI command to create route tables:

    yc vpc route-table create --help

  2. Get your cloud network ID:

    yc vpc network list

    Result:

    +----------------------+--------------------+
|          ID          |      NAME          |
+----------------------+--------------------+
| enp846vf5fus******** | usergate-network   |
+----------------------+--------------------+

  3. Create a usergate-network route table:

    yc vpc route-table create \
  --name=test-route-table \
  --network-id=enp846vf5fus******** \
  --route destination=0.0.0.0/0,next-hop=10.129.0.24

    Where:

    • name: Route table name.
    • network-id: Route table network ID.
    • route: Route settings:
      • destination: Destination CIDR block.
      • next-hop: usergate-firewall internal IP address.

    Result:

    ...done
id: enpsi6b08q2v********
folder_id: b1gqs1teo2q2********
created_at: "2019-06-24T09:57:54Z"
name: test-route-table
network_id: enp846vf5fus********
static_routes:
- destination_prefix: 0.0.0.0/0
  next_hop_address: 10.129.0.24

Link your route table to a subnet that will use its static routes:

  1. Get a list your cloud subnets:

    yc vpc subnet list

    Result:

    +----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
|          ID          |               NAME            |      NETWORK ID      |    ROUTE TABLE ID    |       ZONE    |      RANGE      |
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+
| b0c4l3v9jrgd******** | usergate-subnet-ru-central1-d | enpjsdf771h0******** |                      | ru-central1-d | [10.130.0.0/24] |
+----------------------+-------------------------------+----------------------+----------------------+---------------+-----------------+

  2. Link the route table to the usergate-subnet-ru-central1-d web service-hosting subnet:

    yc vpc subnet update b0c4l3v9jrgd******** --route-table-id e2l5345dlgr1********

    Result:

    ..done
id: b0c4l3v9jrgd********
folder_id: b1gqs1teo2q2********
created_at: "2019-03-12T13:27:22Z"
name: subnet-1
network_id: enp846vf5fus********
zone_id: ru-central1-d
v4_cidr_blocks:
- 192.168.0.0/24
route_table_id: e2l5345dlgr1********

To create a route table with static routes:

  1. In the configuration file, describe the properties of resources you want to create:

    • name: Route table name. Use the following name format:

      • It must be from 2 to 63 characters long.
      • It can only contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • network_id: ID of the network to host the table.

    • static_route: Static route description:

      • destination_prefix: Destination CIDR block.
      • next_hop_address: gateway VM internal IP address serving as the next hop for the allowed traffic.

    Here is the configuration file example:

    resource "yandex_vpc_route_table" "usergate-rt-d" {
  name       = "<route_table_name>"
  network_id = "<network_ID>"
  static_route {
    destination_prefix = "0.0.0.0/0"
    next_hop_address   = "10.129.0.24"
  }
}

    To add, update, or delete a route table, use the yandex_vpc_route_table resource indicating the network in the netword id field, e.g., network_id = "${yandex_vpc_network.lab-net.id}".

    For more information about the yandex_vpc_route_table Terraform resource properties, see the provider documentation.

  2. Make sure your configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

      This will create all the resources you need in the specified folder. You can see their detailed description using the management console or this CLI command:

      yc vpc route-table list

Test the firewall

To test the firewall, we will create a test web service and check whether we can access it from the internet.

Set up a test VM

  1. Create a VM from a public Linux image in the usergate-subnet-ru-central1-d subnet and enable the serial console in its settings.

  2. Connect to the VM by running the following CLI command:

    yc compute connect-to-serial-port --instance-name <VM_name>

    Where:
    --instance-name: Test VM name.

  3. Start the test web service:

    sudo python3 -m http.server 80

    The web server will listen on port 80 and return the contents of the httpdocs directory.

Set up the web server reverse proxy on your firewall

  1. In the UserGate admin web UI, select Settings from the top menu.

  2. In the Global portal section on the left, select Web portal, and set up HTTP access to the gateway:

    1. Click Add to open the new portal dialog.
    2. Tick the Enabled option.
    3. In the Name field, specify Test web portal.
    4. In the URL field, specify http://<UserGate_VM_IP_address>.
    5. In the SSL profile field, leave the default value.
    6. In the Certificate field, select CA (Default).
    7. Click Save.

  3. Select Reverse proxy servers and add a new server:

    1. Click Add to open the new server dialog.
    2. In the Name field, specify Local server.
    3. In the Server address field, specify the test web server VM IP address, e.g., 10.129.0.24.
    4. In the Port field, specify 80.
    5. Click Save.

  4. Select Reverse proxy rules and add a new rule:

    1. Click Add to open the new rule dialog.
    2. Tick the Enabled option.
    3. In the Name field, specify Access to local server.
    4. In the Reverse proxy server field, select Local server.
    5. In the Ports field, specify 5550.
    6. Click Save.

    Now you configured access to your test web server. The firewall will forward requests on port 5550 to the test VM IP address on port 80.

Check whether your web server is accessible from the internet

  1. Make an HTTP request to your server by opening the following address in your browser:

    http://<IP_address_of_UserGate_VM>:5550

    You should see the contents of your httpdocs folder.

  2. In the top menu of the UserGate admin web UI, select Logs and reports.

  3. In the Logs section on the left, select Web access log and find an entry about applying the Access to local server rule.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the usergate-firewall and local-service VMs.
  2. Delete the static public IP address.
Previous
Implementing a secure high-availability network infrastructure with a dedicated DMZ based on Smart-Soft NGFW
Next
Configuring VRRP for a BareMetal server cluster using Keepalived