Netgear SRX5308
Contents
1. Network Planning for Multiple WAN Ports 311 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall s WAN port needs to be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled In the single WAN case the WAN s Internet address is either fixed IP or an FQDN if the IP address is dynamic WAN IP IN netgear dyndns org IP address of WAN port CJ FQDN is required for dynamic IP address and is optional for fixed IP address Router Figure 185 Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall s WAN port needs to be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled Inbound Traffic Dual WAN Ports for Improved Reliability In a dual WAN port auto rollover configuration the WAN port s IP address will always change when a rollover occurs You need to use an FQDN that toggles between the IP addresses of the WAN ports that is WAN1 or WAN2 Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WANT IP WAN1 IP N A Router netgear dyndns org 7 Router WAN 1 port inactive D y X D o E oe X eet __ WAN2 port inactive netgear dyndns org WAN2Z IP N A WAN2Z2 IP J IP address of active W2. Detection Period The period in seconds between the keep alive requests The default setting is 10 seconds Reconnect after The maximum number of keep alive requests before the failure count VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint The default is 3 keep alive requests Virtual Private Networking Using IPSec Connections 169 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40 Add New VPN Policy screen settings continued Setting Description Traffic Selection Local IP From the drop down list select the address or addresses that are part of the VPN tunnel on the VPN firewall Any All PCs and devices on the network e Single A single IP address on the network Enter the IP address in the Start IP Address field Range A range of IP addresses on the network Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field e Subnet A subnet on the network Enter the starting IP address in the Start IP Address field and the subnet mask in the Subnet Mask field Note You cannot select Any for both the VPN firewall and the remote endpoint Remote IP From the drop down list select the address or addresses that are part of the VPN tunnel on the remote endpoint The menu choices are the same as for the Local IP drop down list Manual Policy Parameters Note
3. Mask Length For a network address enter the netmask length 0 32 Note By default a single IP address is assigned a netmask length of 32 Click the Add table button The address is added to the Defined Addresses table Repeat step 6 and step 7 for any other addresses that you want to add to the Defined Addresses table gt To delete one or more addresses 1 2 In the Defined Addresses table select the check box to the left of the address that you want to delete or click the Select All table button to select all addresses Click the Delete table button Configure Login Restrictions Based on Web Browser gt To restrict logging in based on the user s browser 1 2 Select Users gt Users The Users screen displays see Figure 140 on page 227 In the Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs display with the Login Policies screen in view Click the by Client Browser submenu tab The By Client Browser screen displays The following figure shows a browser in the Defined Browsers table as an example Managing Users Authentication and Certificates 231 gt ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Login Policies by Source IP Address LOAST ITTE Operation succeeded Username guest Deny Login from Defined Browsers Allow Login only from Defined Brow
4. None DNS Lookup WAN DNS Server DNS Lookup the configured IP address is displayed PING the configured IP address is displayed You can set the failure detection method for each WAN interface on its corresponding WAN Advanced Options screen see Configure the Auto Rollover Mode and Failure Detection Method on page 34 Action The Edit table button provides access to the WAN ISP Settings screen see step 2 for the corresponding WAN interface the Status button provides access to the Connection Status screen see step 4 for the corresponding WAN interface 2 Click the Edit table button in the Action column of the WAN interface for which you want to automatically configure the connection to the Internet The WAN ISP Settings screen displays The following figure shows the WAN1 ISP Settings screen as an example Connecting the VPN Firewall to the Internet 25 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration WAN1 ISP Settings O secondary Addresses advanced Operation succeeded ISP Login 2 p Does Your Internet Connection Require a Login Login admin O Yes No Password eeeeeesesesesese ISP Type Help Which type of ISP connection do you use Account Nam C O O S SE Puech Domain Name _ Other PPPoE Idle Timeout Keep Connected Idle Timeout 5 Minutes Connection Reset Disconnect Time o oa HH MM Delay 0 Sec My IP Address nm li Server IP Ad
5. All Day Specific Times am em AM End Time 12 Hour 00 Minute am pm PM Figure 67 2 Inthe Scheduled Days section select one of the following radio buttons e All Days The schedule is in effect all days of the week e Specific Days The schedule is active only on specific days To the right of the radio buttons select the check box for each day that you want the schedule to be in effect 3 In the Scheduled Time of Day section select one of the following radio buttons e All Day The schedule is in effect all hours of the selected day or days e Specific Times The schedule is active only during specific hours of the selected day or days To the right of the radio buttons fill in the Start Time and End Time fields Hour Minute AM PM during which the schedule is in effect 4 Click Apply to save your settings to Schedule 1 Repeat these steps to set to a schedule for Schedule 2 and Schedule 3 Firewall Protection 122 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Content Filtering If you want to restrict internal LAN users from access to certain sites on the Internet you can use the VPN firewall s content filtering and web components filtering features By default these features are disabled all requested traffic from any website is allowed If you enable one or more of these features and users try to access a blocked site they will see a Blocked by NETGEAR message Content Filtering
6. Configure the NETGEAR VPN Client for Mode Config Operation Test the Mode Config Connection 000 cence eae Modify or Delete a Mode Config Record 0 000000 Configure Keep alives and Dead Peer Detection Configure Keep alives 0 0 0 2 002 eee Configure Dead Peer Detection 0 0 cece eee Configure NetBIOS Bridging with IPSec VPN 5 Chapter 6 Virtual Private Networking Using SSL Connections SGL VPN Ponal OPOS oa dosag cenda et auc ou ede te Pac acne Overview of the SSL Configuration Process 00055 Create the Portal Layout 220s ranis reide rinan A GAE Configure Domains Groups and Users sssaaa aaaea aaa Configure Applications for Port Forwarding s a s sasaaa saasaa Add Servers and Port Numbers 000000 cece iarsan Add a New Host NAMEG o ciciwdis ei esaar edu dyad rieri r naina Configure the SSL VPN Client 0 000 20 aaea Configure the Client IP Address Range 00 00005 Add Routes for VPN Tunnel Clients 220 00ee eee Use Network Resource Objects to Simplify Policies Add New Network Resources 0000 0c eee eee eenes ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Network Resources to Specify Addresses 209 Configure User Group and Global Policies 005 210 Vow PONCE 64544 edhe ce edde ye DLE HORE ORE
7. PROSAFE Built for Business Save E VPN Configuration Authentication Advanced Certificate E Goba Parameters Addresses Interface Any Remote Gateway 10 34 116 22 Authentication Preshared Key soooooosooos Confirm eesssesessese O Certificate Encryption 3DES Authentication SHA 1 Key Group DH2 1024 Figure 92 Specify the settings that are explained in the following table Table 33 VPN client authentication settings Setting Description Interface Select Any from the drop down list Remote Gateway Enter the remote IP address or DNS name of the VPN firewall For example enter 10 34 116 22 Preshared Key Select the Preshared Key radio button Enter the pre shared key that you already specified on the VPN firewall For example enter I7 KL39dFG_8 Confirm the key in the Confirm field IKE Encryption Select the 3DES encryption algorithm from the drop down list Authentication Select the SHA1 authentication algorithm from the drop down list Key Group Select the DH2 1024 key group from the drop down list Note On the VPN firewall this key group is referred to as Diffie Hellman Group 2 1024 bit Virtual Private Networking Using IPSec Connections 150 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5 Click Apply to use the new settings immediately and click Save to keep the settings for future use 6 Click the Advanced tab in the
8. i SSL PN Log Status No Data Available Refresh Log Clear Log Figure 173 Monitoring System Access and Performance 284 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Port Triggering Status gt To view the status of the port triggering feature 1 2 Select Security gt Port Triggering The Port Triggering screen displays see Figure 71 on page 131 Click the Status option arrow in the upper right of the Port Triggering screen The Port Triggering Status screen appears in a popup window Port Triggering Status Rule LAN IP Address Open Ports Refresh Time Remaining Sec Figure 174 The Port Triggering Status screen displays the information that is described in the following table Table 73 Port Triggering Status screen information Item Description The sequence number of the rule onscreen Rule The name of the port triggering rule that is associated with this entry LAN IP Address The IP address of the computer or device that is currently using this rule Open Ports The incoming ports that are associated with this rule Incoming traffic using one of these ports is sent to the IP address that is listed in the LAN IP Address field Time Remaining The time remaining before this rule is released and made available for other computers or devices This timer is restarted when incoming or outgoing traffic is re
9. Refresh Log Clear Log E3 Send Log Figure 165 You can refresh the logs clear the logs or send the logs to an email address View Status and Log Screens The VPN firewall provides real time information in a variety of status screens that are described in the following sections View the System Router Status and Statistics View the VLAN Status View and Disconnect Active Users View the VPN Tunnel Connection Status View the VPN Logs View the Port Triggering Status View the WAN Port Connection Status View the Attached Devices and DHCP Log Monitoring System Access and Performance 274 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the System Router Status and Statistics The Router Status screen Detailed Status screen and Router Statistics screen provide real time information about the following important components of the VPN firewall e Firmware versions that are loaded on the VPN firewall e WAN and LAN port information e Interface statistics View the Router Status Screen To view the Router Status screen Select Monitoring gt Router Status The Status tabs display with the Router Status screen in view see the following figure The following table explains the fields of the Router Status screen Table 68 Router Status screen information Item Description System Info System Name The NETGEAR product name Firmware Version Primary The current software version th
10. gt To add servers and host names for client name resolution 1 2 Select VPN gt SSL VPN gt Port Forwarding The Port Forwarding screen displays see Figure 126 on page 203 In the Add New Host Name for Port Forwarding section of the screen specify information in the following fields e Local Server IP Address The IP address of an internal server or host computer that you want to name e Fully Qualified Domain Name The full server name Note If the server or host computer that you want to name does not appear in the List of Configured Applications for Port Forwarding table you need to add it before you can rename it Click the Add table button The new application entry is added to the List of Configured Host Names for Port Forwarding table Virtual Private Networking Using SSL Connections 204 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete a name from the List of Configured Host Names for Port Forwarding table select the check box to the left of the name that you want to delete and then click the Delete table button in the Action column Configure the SSL VPN Client The SSL VPN client on the VPN firewall assigns IP addresses to remote VPN tunnel clients Because the VPN tunnel connection is a point to point connection you can assign IP addresses from the local subnet to the remote VPN tunnel clients The following are some additional considerations So that the virtual PPP interface ad
11. gt To make changes to an existing outbound or inbound service rule In the Action column to the right of the rule click one of the following table buttons e Edit Allows you to make any changes to the definition of an existing rule Depending on your selection either the Edit LAN WAN Outbound Service screen identical to Figure 43 on page 93 or Edit LAN WAN Inbound Service screen identical to Figure 44 on page 94 displays containing the data for the selected rule e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank gt To enable disable or delete one or more rules 1 Select the check box to the left of the rule that you want to enable disable or delete or click the Select All table button to select all rules 2 Click one of the following table buttons e Enable Enables the rule or rules The status icon changes from a gray circle to a green circle indicating that the selected rule or rules are enabled By default when a rule is added to the table it is automatically enabled e Disable Disables the rule or rules The status icon changes from a green circle to a gray circle indicating that the selected rule or rules are disabled e Delete Deletes the rule or rules Firewall Protection 92 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Outbound Services Rules You can define rules that specify exceptions to the defaul
12. Inbound Maximum The inbound maximum allowed bandwidth in Kops The default Bandwidth setting is 100 Kbps you cannot configure less than 100 Kbps the maximum allowable bandwidth is 100000 Kbps Firewall Protection 120 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 24 Add Bandwidth Profile screen settings continued Setting Description Type From the Type drop down list select the type for the bandwidth profile Group The profile applies to all users that is all user share the available bandwidth e Individual The profile applies to an individual user that is each user can use the available bandwidth Maximum Number of If you select Individual from the Type drop down list you need to Instances specify the maximum number of class instances that can be created by the individual bandwidth profile Note If the number of users exceeds the configured number of instances the same bandwidth is shared among all the users of that bandwidth profile 4 Click Apply to save your settings The new bandwidth profile is added to the List of Bandwidth Profiles table 5 Inthe Bandwidth Profiles section of the screen select the Yes radio button under Enable Bandwidth Profiles By default the No radio button is selected 6 Click Apply to save your settings gt To edit a bandwidth profile 1 In the List of Bandwidth Profiles table click the Edit table button to the
13. Manage the Application Level Gateway for SIP Sessions The application level gateway ALG facilitates multimedia sessions such as voice over IP VoIP sessions that use the Session Initiation Protocol SIP across the firewall and provides support for multiple SIP clients ALG support for SIP is disabled by default gt To enable ALG for SIP 1 Select Security gt Firewall gt Advanced The Advanced screen displays LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit BY DEUT amp 7 Enable SIP ALG O Figure 58 2 Select the Enable SIP ALG check box 3 Click Apply to save your settings Create Services QoS Profiles and Bandwidth Profiles When you create inbound and outbound firewall rules you use firewall objects such as services QoS profiles bandwidth profiles and schedules to narrow down the firewall rules e Services A service narrows down the firewall rule to an application and a port number For information about adding services and IP groups see Add Customized Services on page 112 and Create P Groups on page 114 e QoS profiles A Quality of Service QoS profile defines the relative priority of an IP packet for traffic that matches the firewall rule For information about creating QoS profiles see Create Quality of Service QoS Profiles on page 116 e Bandwidth profiles A bandwidth profile allocates and limits traffic bandwidth for the LAN users to which a firewall rule is applied For i
14. Not shown in this example i WAN3 Info Not shown in this example Figure 167 The following table explains the fields of the Detailed Status screen Table 69 Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the four LAN port VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen see Assign and Manage VLAN Profiles on page 57 If the VLAN is not enabled on this port the default profile with VLAN ID 1 is assigned automatically Monitoring System Access and Performance 277 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69 Detailed Status screen information continued Item Description VLAN ID The VLAN ID that you assigned to this port on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 If the default VLAN profile is used the VLAN ID is 1 which means that all tagged and untagged traffic can pass on this port MAC Address The MAC address of this port All LAN ports share the same MAC address 00 00 00 00 00 01 However if LAN port 4 is enabled as the DMZ port its MAC address is changed to 00 00 00 00 00 06 For information about configuring the DMZ port see Configure and Enable the DMZ Port on page 72 IP Address The IP address for this port If the VLAN is not enabled on this port the IP addres
15. gt To delete a QoS profile 1 Inthe Custom Services table select the check box to the left of the QoS profile that you want to delete or click the Select All table button to select all profiles 2 Click the Delete table button Configure Advanced WAN Options The advanced options include configuration of the maximum transmission unit MTU size port speed VPN firewall s MAC address and setting a rate limit on the traffic that is being forwarded by the VPN firewall Connecting the VPN Firewall to the Internet 51 gt To configure advanced WAN options 1 Select Network Configuration gt WAN Settings ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note You can also configure the failure detection method for the auto rollover mode on the Advanced screen This procedure is discussed in Configure the Failure Detection Method on page 35 2 Click the Edit table button in the Action column of the WAN interface for which you want to WAN1 Advanced Options Network Configuration configure the advanced options The WAN ISP Settings screen displays see Figure 17 on page 26 which shows the WAN1 ISP Settings screen as an example Click the Advanced option arrow in the upper right of the screen The WAN Advanced Options screen displays for the WAN interface that you selected The following figure shows the WAN1 Advanced Options screen as an example Dynamic DNS LAN Settings DMZ Setup Routing QoS wani
16. ESP Encryption Select 3DES as the encryption algorithm from the drop down list Authentication Select SHA 1 as the authentication algorithm from the drop down list Mode Select Tunnel as the encapsulation mode from the drop down list PFS and Group Select the PFS check box and then select the DH2 1024 key group from the drop down list Note On the VPN firewall this key group is referred to as Diffie Hellman Group 2 1024 bit Virtual Private Networking Using IPSec Connections 153 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Click Apply to use the new settings immediately and click Save to keep the settings for future use Configure the Global Parameters gt To specify the global parameters 1 Click Global Parameters in the left column of the Configuration Panel screen The Global Parameters pane displays in the Configuration Panel screen Netgear ProSafe VPN Client Professional Configuration Tools NETGEAR PROSAFE Built for Business E YPN Configuration Globsl Parameters g Goba Parameters Lifetime sec Default Minimal Maximal Athentication IKE 26300 900 36400 Encryption IPSec 3600 600 86400 F Dead Peer Detection DPD Check interval 30 sec Max number of retries 5 Delay between retries 15 sec Miscellaneous Retransmissions 5 IKE Port X Auth timeout 20 NAT Port C Block nom ciphered connection Figure 95 2 Specify the default life
17. Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network This chapter contains the following sections e About Firewall Protection e Use Rules to Block or Allow Specific Kinds of Traffic e Configure Other Firewall Features e Create Services QoS Profiles and Bandwidth Profiles e Seta Schedule to Block or Allow Specific Traffic e Content Filtering Enable Source MAC Filtering e Set Up IP MAC Bindings e Configure Port Triggering e Configure Universal Plug and Play About Firewall Protection A firewall protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two You can further segment keyword blocking to certain known groups For information about how to set up LAN groups see Manage Groups and Hosts LAN Groups on page 67 A firewall incorporates the functions of a Network Address Translation NAT router protects the trusted network from hacker intrusions or attacks and controls the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request but true stateful packet inspect
18. From the drop down list select one of the following hash algorithms e MD5 A 128 bit 16 byte message digest slightly faster than SHA 1 e SHA 1 A 160 bit 20 byte message digest slightly stronger than MD5 Signature Algorithm Although this seems to be a drop down list the only possible selection is RSA In other words RSA is the default to generate a CSR Managing Users Authentication and Certificates 238 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61 Generate self certificate request settings continued Setting Description Signature Key Length From the drop down list select one of the following signature key lengths in bits e 512 1024 2048 Note Larger key sizes might improve security but might also decrease performance Optional Fields IP Address Enter your fixed static IP address If your IP address is dynamic leave this field blank Domain Name Enter your Internet domain name or leave this field blank E mail Address Enter the email address of a technical contact in your company 3 Click the Generate table button A new SCR is created and added to the Self Certificate Requests table 4 Inthe Self Certificate Requests table click the View table button in the Action column to view the new SCR The Certificate Request Data screen displays Certificate Request Data Operation succeeded Subject Name CN Netgear Hash A
19. Gateway A WAN IP bzrouter dyndns org aie WAN IP 10 5 6 1 z WAN2 port inactive 0 0 0 0 VPN Router WAN2 IP N A at employer s foe main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 191 The IP addresses of the WAN ports can be either fixed or dynamic but you always need to use an FQDN because the active WAN port could be either WAN1 or WAN2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in the following figure and the remote PC client needs to reestablish the VPN tunnel The gateway WAN port needs to act as the responder Network Planning for Multiple WAN Ports 315 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 10 5 6 0 24 Road Warrior Example Dual WAN Ports After Rollover Client B WANA IP NIA 5 Gateway A AN1 Pht portin inactive WAN IP LAN IP EE bzrouter dyndns org 0 0 0 0 10 5 6 1 WAN2 IP VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure 192 The purpose of the FQDN in this case is to toggle the domain name of the ga
20. 4000 Mbps four LAN ports at 1000 Mbps each e WAN side Load balancing mode 4000 Mbps four WAN ports at 1000 Mbps each Auto rollover mode 1000 Mbps one active WAN port at 1000 Mbps Single WAN port mode 1000 Mbps one active WAN port at 1000 Mbps In practice the WAN side bandwidth capacity is much lower when DSL or cable modems are used to connect to the Internet At 1 5 Mbps the WAN ports support the following traffic rates e Load balancing mode 6 Mbps four WAN ports at 1 5 Mbps each e Auto rollover mode 1 5 Mbps one active WAN port at 1 5 Mbps e Single WAN port mode 1 5 Mbps one active WAN port at 1 5 Mbps As aresult and depending on the traffic that is being carried the WAN side of the VPN firewall is the limiting factor to throughput for most installations 242 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using four WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall but there is no backup in case one of the WAN ports fails When such a failure occurs the traffic that would have been sent on the failed WAN port is diverted to another WAN port that is still working thus increasing its load However there is one exception Traffic that is bound by protocol to the WAN port that failed is not diverted Features That Reduce Traffic You can adjust the following features of the VPN firewall in such a way that the traffic load on the WAN side decreases e
21. 799 180 226 101 portal 3 CustomerSupport Oea Default Layout Name Description SSL VPN 1 E customersupport In case A pain Sieu call Default Portal Layout SelectAll Delete Add Figure 124 The List of Layouts table displays the following fields e Layout Name The descriptive name of the portal e Description The banner message that is displayed at the top of the portal see Figure 132 on page 217 e Use Count The number of remote users that are currently using the portal e Portal URL The URL at which the portal can be accessed e Action The table buttons that allow you to edit the portal layout or set it as the default 2 Under the List of Layouts table click the Add table button The Add Portal Layout screen displays The following figure shows an example Virtual Private Networking Using SSL Connections 199 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Portal Layout Figure 125 Operation succeeded Portal Layout Name CustomerSupport Portal Site Title CornpanyCustomerSuppord Banner Title Welcome to Customer Sup In case of login difficulty call 123 456 7690 Banner Message Display banner message on login page HTTP meta tags for cache control recommended ActiveX web cache cleaner VPN Tunnel page Port Forwarding 3 Complete the settings as explained the following table Table 50 Add Portal Layout screen s
22. Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1 Select one of the following radio buttons to configure traffic metering e Yes Traffic metering is enabled and the traffic meter records the volume of Internet traffic passing through the WAN1 interface Complete the fields that are shown on the right side of the screen see explanations later in this table e No Traffic metering is disabled This is the default setting Monitoring System Access and Performance 264 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 65 WAN Traffic Meter screen settings continued Setting Description Do you want to Select one of the following radio buttons to specify if or how the VPN firewall applies enable Traffic restrictions when the traffic limit is reached Metering on WAN1 No Limit No restrictions are applied when the traffic limit is reached continued e Download only Restrictions are applied to incoming traffic when the traffic limit is reached Complete the Monthly Limit field e Both Directions Restrictions are applied to both incoming and outgoing traffic when the traffic limit is reached Complete the Monthly Limit field Monthly Limit Enter the monthly traffic volume limit in MB The default setting is 0 MB Increase this Select this check box to temporarily increase a previously month limit by specified monthly traffic volume limit and ent
23. File Actions Help Copyright 2001 2007 WiKID Systems Inc passcode Req Token client test Passcode 468713 PassCode expires im 31 Seconds Figure 203 Note The one time passcode is time synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time If a user does not use this passcode before it is expired the user needs to go through the request process again to generate a new OTP 3 Proceed to the 2 Factor Authentication login screen and enter the one time passcode as the login password Two Factor Authentication 343 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Factor Authentication ff Pacscode Reg W Token dient test Passcode User Name user Password eeeeesee 468713 Domain WIKID PassCode expires in 51 Seconds Figure 204 Two Factor Authentication 344 Notification of Compliance NETGEAR Wired Products Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices Failure of the end user to comply with the applicable requirements may result in unlawful operation and adverse action against the end user by the applicable National regulatory authority This product s firmware limits operation to only the channels allowed in a particular Region or Country Therefore all
24. IP Setup IP Address Enter the IP address of the VPN firewall the factory default is 192 168 1 1 Note Always make sure that the LAN port IP address and DMZ port IP address are in different subnets Note If you change the LAN IP address of the VLAN while being connected through the browser to the VLAN you will be disconnected You then need to open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you now need to enter https 10 0 0 1 in your browser to reconnect to the web management interface Subnet Mask Enter the IP subnet mask The subnet mask specifies the network number portion of an IP address Based on the IP address that you assign the VPN firewall automatically calculates the subnet mask Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the VPN firewall DHCP Disable DHCP If another device on your network is the DHCP server for the VLAN or if you will Server manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting LAN Configuration 61 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12 Edit VLAN Profile screen settings continued Setting Description Enable DHCP Select the Enable DHCP Server radio button to enable
25. Port 1 E Porta omz IP Address isz fies 2 Ja Subnet Mask 25s 255 25s 0_ Disable DHCP Server Enable DHCP Server O Enable LDAP information Domain Name LDAP server F start p 92 268 amp _ 2 Search Base EE End IP 268 E 200 Port 0 enter 0 for default port Primary DNS Server CI C L 4 EE Secondary ons server L_ _ _ WINS Server Cc Lease Time Hours DHCP Relay Relay Gateway 5 BB A i DNS Proxy Enable DNS Proxy V ii Inter LAN Routing Enable Inter VLAN Routing J Figure 31 LAN Configuration 60 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Enter the settings as explained in the following table Table 12 Edit VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile Note You can also change the profile name of the default VLAN VLAN ID Enter a unique ID number for the VLAN profile No two VLANs can have the same VLAN ID number Note You can enter VLAN IDs from 2 to 4093 VLAN ID 1 is reserved for the default VLAN VLAN ID 4094 is reserved for the DMZ interface Port Membership Port 1 Select one several or all port check boxes to make the ports members of this VLAN ah Note A port that is defined as a member of a VLAN profile can send and receive Port 4 DMZ data frames that are tagged with the VLAN ID
26. Select Group Password Confirm Password Idle Timeout 3 Enter the settings as explained in the following table Table 58 Add User screen settings Setting Description User Name A descriptive alphanumeric name of the user for identification and management purposes User Type From the drop down list select one of the predefined user types that determines the access credentials Administrator User who has full access and the capacity to change the VPN firewall configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configure Extended Authentication XAUTH on page 172 e Guest User User who can only view the VPN firewall configuration that is read only access Select Group The drop down list shows the groups that are listed on the Group screen From the drop down list select the group to which the user is assigned For information about how to configure groups see Configure Groups for VPN Policies on page 224 Note The user is automatically assigned to the domain that is associated with the selected group Password The password that the user needs to enter to gain access to the VPN firewall The oo password can contain alphanumeric or _ characters Con
27. Selected NAT T version RFC XXXX_ Message 7 2000 Jan 1 04 13 39 SRX5308 IKE Setting DPD Vendor ID_ Explanation Message 1 4 After receiving a request for phase 1 negotiation a Dead Peer Detection Vendor ID is received Message 5 DPD is enabled Message 7 The DPD vendor ID is set Recommended Action None System Logs and Error Messages 333 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 101 System logs IPSec VPN tunnel Dead Peer Detection and keep alive default 30 sec VPN tunnel torn down Message 1 2000 Jan 1 06 01 18 SRX5308 VPNKA Keep alive to peer 192 168 10 2 failed 3 consecutive times and 5 times cumulative_ Message 2 2000 Jan 1 06 01 19 SRX5308 IKE DPD R U THERE sent to 20 0 0 1 500 _ Message 3 2000 Jan 1 06 01 19 SRX5308 IKE DPD R U THERE ACK received from 20 0 0 1 500 _ Explanation Message 1 When the remote host connection is removed and when there are no packets from the remote host the VPN firewall sends packets to keep the remote host alive As the connection itself is removed keep alive fails Message 2 The VPN firewall sends packets to check whether the peer is dead Message 3 The VPN firewall receives an acknowledgment that the peer is dead The connection is removed Recommended Action None Table 102 System logs IPSec VPN tunnel client policy disconnection from the client side Message 2000 Jan 1 02 34 45 SRX5308 IK
28. The incoming and outgoing volume of traffic for each protocol and the total volume of traffic are displayed Traffic counters are updated in MBs the counter starts only when traffic passed is at least 1 MB In addition the popup screen displays the traffic meter s start and end dates Enable the LAN Traffic Meter If your ISP charges by traffic volume over a period of time and you need to charge the costs to individual accounts or if you want to study the traffic volume that is requested or sent over a LAN IP address over a period of time you can activate the traffic meter for individual LAN IP addresses gt To monitor traffic for LAN IP addresses 1 Select Network Configuration gt LAN Settings The LAN submenu tabs display with the LAN Setup screen in view see Figure 30 on page 59 2 Select the Advanced option arrow in the upper right of the LAN Setup screen The LAN Advanced screen displays 3 Select the LAN Traffic Meter tab The LAN Traffic Meter screen displays The following figure shows some examples in the LAN Traffic Meter table Monitoring System Access and Performance 266 gt F 192 168 11 67 Inbound 15000 o Allowed edir t oO 192 168 11 203 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration WAN Settings Protocol Binding Dynamic DNS LAN Advanced EF UBIETA C Operation succeeded ii LAN Traffic Meter Table Help LAN IP Address Direction Limit M
29. These fields apply only when you select Manual Policy as the policy type When you specify the settings for the fields in this section a security association SA is created SPI Incoming The Security Parameters Index SPI for the inbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 Encryption Algorithm From the drop down list select one of the following five algorithms to negotiate the security association SA e DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size AES 256 AES with a 256 bits key size Key In The encryption key for the inbound policy The length of the key depends on the selected encryption algorithm DES Enter 8 characters 3DES Enter 24 characters e AES 128 Enter 16 characters AES 192 Enter 24 characters AES 256 Enter 32 characters Key Out The encryption key for the outbound policy The length of the key depends on the selected encryption algorithm DES Enter 8 characters 3DES Enter 24 characters AES 128 Enter 16 characters AES 192 Enter 24 characters AES 256 Enter 32 characters Virtual Private Networking Using IPSec Connections 170 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40 Add New VPN Policy screen setti
30. To monitor traffic limits on each of the WAN ports 1 Select Monitoring gt Traffic Meter The WAN Traffic Meter tabs display with the WAN1 Traffic Meter screen in view see the following figure The Internet Traffic Statistics section in the lower part of the screen displays statistics on Internet traffic via the WAN port If you have not enabled the traffic meter these statistics are not available 263 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Met liticletit WAN1 TrafficMeter Enable Traffic Meter 2 Do you want to enable Traffic Metering on WAN1 No Limit Yes Download only No Both Directions ee MB max 256000 MB Monthly Limit 250 4B Increase this month limit by 0 MB max 256000 MB 250 GB This month limit 0 MB Restart Traffic Counter Now Restart Traffic Counter at Specific Time B2 oo am iy on the day of Month Block All Traffic Block All Traffic Except E Mail C Send e mail alert O Send e mail report before restarting counter Internet Traffic Statistics 2 Start Date Time Outgoing Traffic Volume mB Incoming Traffic Volume MB Total Traffic Volume mB Average per day MB of Standard Limit of this Month s Limit C Apply Reset Figure 159 2 Enter the settings for the WAN1 port as explained in the following table Table 65 WAN Traffic Meter screen settings Setting
31. as an example IPSec VPN SSLVPN Certificates LETT E T EEEE SSL YPN Connection Status Operation succeeded Help Policy Name Endpoint Tx KB Tx Packets State Action GW1 to GW2 10 144 28 226 0 00 0 IPsec SA Not Established F Connect Client Policy Poll Interval Seconds Set interval Stop Figure 170 The Active IPSec SAs table lists each active connection with the information that is described in the following table The default poll interval is 5 seconds To change the poll interval period enter a new value in the Poll Interval field and then click Set Interval To stop polling click Stop Table 72 IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Monitoring System Access and Performance 282 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72 IPSec VPN Connection Status screen information continued Item Description Tx KB The amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is the key exchange phase If there is no connection the status is IPSec SA Not Established Action Click the Connect table button to build the connection or click the
32. at office B required for Fixed IP addresses required for Dynamic IP addresses One of the gateway routers must re establish VPN tunnel after a rollover Figure 196 The purpose of the FQDNs is to toggle the domain name of the rolled over gateway between the IP addresses of the active WAN port that is WAN_A1 and WAN_A2 in the previous figure so that the other end of the tunnel has a known gateway IP address to establish or reestablish a VPN tunnel VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing In a configuration with two dual WAN port VPN gateways that function in load balancing mode either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Load Balancing WAN_A 1 IP WAN_B1 IP Gateway A netgear1 dyndns org 3 22 23 24 25 Gateway B 10 5 6 1 netgear2 dyndns org 22 23 24 26 2 VPN Router WAN_A2 IP WAN_B2 IP VPN Router at office A at office B 172 23 9 1 Fully Qualified Domain Names FQDN optional for Fixed IP addresses required for Dynamic IP addresses Figure 197 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you need to use an FQDN If
33. e Ifa period is specified as the keyword all Internet browsing access is blocked Enable and Configure Content Filtering gt To enable and configure content filtering ls 2 3 Select Security gt Content Filtering The Block Sites screen displays see the following figure In the Content Filtering section select the Yes radio button to enable content filtering Click Apply to activate the screen controls The check boxes and fields that were masked out become available for configuration Firewall Protection 124 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security i Content Filtering Block Sites J Content Filtering Turn Content Filtering On Web Components O Proxy O Activex O Cookies i Apply Keyword Blocking to Group Name Groupi Group2 Groups Group4 Groups Group Group Groups selecea enable O visable Blocked Keywords seleceall osete Add Blocked Keyword i Trusted Domains Trusted Domains Select all Delete Figure 68 Firewall Protection 125 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Enter the settings as explained in the following table Table 25 Block Sites screen settings Setting Description Web Componenis Select the check boxes of any web components that you wish to block The web components are explain
34. e Reset Reset the configuration to default values e Test Test the configuration before you decide whether or not to save and apply the configuration Connecting the VPN Firewall to the Internet 23 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Auto Detect Enable the VPN firewall to detect the configuration automatically and suggest values for the configuration e Next Go to the next screen for wizards e Back Go to the previous screen for wizards e Search Perform a search operation e Cancel Cancel the operation e Send Now Send a file or report When a screen includes a table table buttons are displayed to let you configure the table entries The nature of the screen determines which table buttons are shown The following figure shows an example Select All Delete oO Enable D Disable Add A Up Down Apply Figure 9 Any of the following table buttons might be displayed on screen e Select All Select all entries in the table e Delete Delete the selected entry or entries from the table e Enable Enable the selected entry or entries in the table e Disable Disable the selected entry or entries in the table Add Add an entry to the table e Edit Edit the selected entry e Up Move up the selected entry in the table e Down Move down the selected entry in the table e Apply Apply the selected entry Almost all screens and sections of screens have an accompanying he
35. gt To reboot the VPN firewall In the Router Options section on the Diagnostics screen next to Reboot the Router click the Reboot button The VPN firewall reboots If you can see the unit the reboot process is complete when the Test LED on the front panel goes off Capture Packets You can capture packets to analyze traffic patterns with a network traffic analyzer tool The captured packet flow can show if traffic is flowing correctly to its destinations or if packets are dropped There is a limit to the size of the packet flow that you can capture in a file gt To capture packets 1 In the Router Options section on the Diagnostics screen next to Capture Packets click the Packet Trace button The Capture Packets screen appears as a popup window Monitoring System Access and Performance 291 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Capture Packets Select Network su E a Figure 180 From the Select Network drop down list select a WAN interface DMZ interface if enabled or VLAN Click the Start button to start capturing the traffic flow The following text appears in the popup window Packet tracing started Click stop when done When you want to stop capturing the traffic flow click the Stop button The following text appears in the popup window Packet tracing stopped Click download to view captured logs Click the Download button Select a location to sa
36. ies 2_ o91 End f Translate to Port Number LI WAN Destination IP Address start T End LAN Users Any Start end If WAN Users Start a End QoS Profile Reset Bandwidth Profile NONE Figure 51 LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule see the following figure In the example CU SeeMe connections are allowed only from a specified range of external IP addresses Firewall Protection 101 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add LAN WAN Inbound Service Operation succeeded Service Action Select Schedule Schedule 1 4 Send to Lan Server start EEE iz End 4 Translate to Port Number L WAN Destination IP Address Start End LAN Users Start End a WAN Users Start fio 201 59 _ end 20 Joea esa QoS Profile Log Bandwidth Profile NONE Figure 52 LAN WAN or DMZ WAN Inbound Rule Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN The following addressing scheme is us
37. in which you want to save the file specify the file name and save the file e If your browser is configured to save downloaded files automatically the file is saved to your browser s download location on the hard disk Network and System Management 257 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Restore Settings WARNING Restore only settings that were backed up from the same software version Restoring settings from a different software version can corrupt your backup file or the VPN firewall system software To restore settings from a backup file 1 On the Settings Backup and Firmware Upgrade screen see the previous screen next to Restore saved settings from file click Browse 2 Locate and select the previously saved backup file by default SRX5308 cfg 3 After you have selected the file click the Restore button A warning message might appear and you might have to confirm that you want to restore the configuration The VPN firewall reboots An alert message appears indicating the status of the restore operation You need to manually restart the VPN firewall for the restored settings to take effect A WARNING Once you start restoring settings do not interrupt the process Do not try to go online turn off the VPN firewall shut down the computer or do anything else to the VPN firewall until the settings have been fully restored Revert to Factory Default Settings To reset the VPN firewall
38. performs when the traffic limit has been reached e Block All incoming and outgoing Internet and email traffic is blocked e Send Email Alert and Block An email alert is sent when all incoming and outgoing Internet and email traffic is blocked Ensure that emailing of logs is enabled on the Email and Syslog screen see Activate Notification of Events Alerts and Syslogs on page 269 6 Click Apply to save your settings The new account is added to the LAN Traffic Meter table on the LAN Traffic Meter screen gt To view the LAN IP traffic meter statistics In the LAN Traffic Meter table click the Edit table button to the right of the account for which you want to view the statistics The Edit LAN Traffic Meter Account screen displays This screen shows the same fields as the Add LAN Traffic Meter Account screen see the previous figure together with the statistics at the bottom of the screen Monitoring System Access and Performance 268 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 delp Start Date Time 07 19 2011 16 37 Outgoing Traffic Volume 0 mB Incoming Traffic Volume O mB Total Traffic Volume 0 M8 Limit 50000 m8 State Allowed Figure 163 gt To edita LAN traffic meter account 1 In the LAN Traffic Meter table click the Edit table button to the right of the account that you want to edit The Edit LAN Traffic Meter Account screen displays This screen shows the same fie
39. screen see Figure 28 on page 52 Locate the Failure Detection Method section on the screen Enter the settings as explained in the following table Help Failure Detection Method WAN DNS v DNS Server 4 IP Address Retry Interval is 4 fo o m Failover after Figure 18 Connecting the VPN Firewall to the Internet 35 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6 Failure detection method settings Setting Description Failure Detection Select a failure detection method from the drop down list Method e WAN DNS DNS queries are sent to the DNS server that is configured in the Domain Name Server DNS Servers section of the WAN ISP screen see Manually Configure the Internet Connection on page 28 e Custom DNS DNS queries are sent to a DNS server that you need to specify in the DNS Server fields e Ping Pings are sent to a server with a public IP address that you need to specify in the IP Address fields The server should not reject the ping request and should not consider ping traffic to be abusive Note DNS queries or pings are sent through the WAN interface that is being monitored The retry interval and number of failover attempts determine how quickly the VPN firewall switches from the primary link to the backup link in case the primary link fails or when the primary link comes back up switches back from the backup link to the primary link DNS Server
40. the VPN connection initiator which is the remote user with a VPN client requests the IP configuration settings such as the IP address subnet mask WINS server and DNS address from the VPN firewall The Mode Config feature allocates an IP address from the configured IP address pool and activates a temporary IPSec policy using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record on the Add Mode Config Record screen that is shown in Figure 110 on page 178 Virtual Private Networking Using IPSec Connections 176 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note After configuring a Mode Config record you need to manually configure an IKE policy and select the newly created Mode Config record from the Select Mode Config Record drop down list see Configure Mode Config Operation on the VPN Firewall on page 177 You do not need to make changes to any VPN policy Note An IP address that is allocated to a VPN client is released only after the VPN client has gracefully disconnected or after the SA liftetime for the connection has timed out Configure Mode Config Operation on the VPN Firewall To configure Mode Config on the VPN firewall first create a Mode Config record and then select the Mode Config record for an IKE policy gt To configure Mode Config on the VPN firewall 1 Select VPN gt IPSec VPN gt Mode Config The Mode Config screen displays SSL VPN Certificate
41. 0 2 and logged in with the username sai Recommended Action None System Logs and Error Messages 335 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 106 System logs VPN log messages port forwarding LAN host and interface Message 2000 Jan 1 01 35 41 SRX5308 portforwarding id SRX5308 time 2000 1 1 1 35 41 fw 192 168 11 1 pri 6 rule access policy proto Virtual Transport Java src 192 168 11 2 user sai dst 192 168 11 1 arg op result revd msg Virtual Transport Java Explanation ASSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192 168 11 2 with interface 192 168 11 1 and logged in with the username sai Recommended Action None Traffic Meter Logs Table 107 System logs traffic meter Message Jan 23 19 03 44 TRAFFIC_METER TRAFFIC_METER Monthly Limit of 10 MB has reached for WAN1 _ Explanation Traffic limit to WAN1 that was set as 10 Mb has been reached This stops all the incoming and outgoing traffic that is if you selected the Block All Traffic radio button in the When Limit is Reached section on the WAN TrafficMeter screen Recommended Action To start the traffic restart the traffic limit counter Routing Logs This section explains the logging messages for the various network segments Such as LAN to WAN for debugging purposes These logs might generate a
42. 192 168 1 0 255 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES edit Client to MainOffice Auto Policy 192 168 1 0 255 255 255 JEG Client Policy 0 Select All Enable Disable Delete Add Figure 83 Note When using FQDNs if the dynamic DNS service is slow to update its servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time 4 Optional step Collect the information that you need to configure the VPN client You can print the following table to help you keep track of this information Table 31 Information required to configure the VPN client Component Example Information to be collected Pre Shared Key I7 IKL39dFG_8 Remote Identifier Information srx_remote com Local Identifier Information srx_local com Router s LAN Network IP Address 192 168 1 0 Router s LAN Network Mask 255 255 255 0 Router s WAN IP Address 10 34 116 22 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you to set up the VPN connection manually see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 148 or with the integrated Configuration Wizard which is the easier and preferred method The Configuration Wizard configures the default settings and provides basic interopera
43. 3 Click the Add table button The new port triggering rule is added to the Port Triggering Rules table Firewall Protection 131 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To edit a port triggering rule for example to enable the rule 1 In the Port Triggering Rules table click the Edit table button to the right of the port triggering rule that you want to edit The Edit Port Triggering Rule screen displays 2 Modify the settings that you wish to change see the previous table 3 Click Apply to save your changes The modified port triggering rule is displayed in the Port Triggering Rules table gt To remove one or more port triggering rules from the table 1 Select the check box to the left of the port triggering rule that you want to delete or click the Select All table button to select all rules 2 Click the Delete table button gt To display the status of the port triggering rules Click the Status option arrow in the upper right of the Port Triggering screen A popup window appears displaying the status of the port triggering rules Port Triggering Status Rule LAN IP Address Open Ports Time Remaining Sec Refresh Figure 72 Configure Universal Plug and Play The Universal Plug and Play UPnP feature enables the VPN firewall to automatically discover and configure devices when it searches the LAN and WAN 1 Select Security gt UPnP The UPnP screen displays see the fol
44. ANY NONE NONE Never up oown edit Delete Enable O Disable ada 1 Select Any and Allow Always or Allow by Schedule 2 Place the rule below all other inbound rules Figure 54 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger Real Audio or other nonessential sites LAN WAN Outbound Rule Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule screen See an example in the following figure You can also enable the VPN firewall to log any attempt to use Instant Messenger during the blocked period Firewall Protection 105 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add LAN WAN Outbound Service Operation succeeded Service AIM v Action BLOCK by schedule otherwise allow Select Schedule Schedule 1 v LAN Users Start End WAN Users Start End QoS Profile Log Bandwidth Profile NAT IP Figure 55 Configure Other Firewall Features You can configure attack checks set session limits and manage the application level gateway ALG for Session Initiation Protocol SIP sessions Attack Checks The Attack Checks screen allows you to spec
45. Authentication pane The Advanced pane displays Netgear ProSafe VPN Client Professional DOK Configuration Tools NETGEAR PROSAFE Built for Business Cee JC E VPN Configuration E Gobal Parameters O ven_dient Authentication Advanced Certificate Advanced features Cl Mode Contig F Aggressive Mode X Auth C x Auth Popup C Hybrid Mode Local and Remote ID Type of ID Value for the ID Local ID DNS stx_remote com Remote ID DNS wi stx_local com Figure 93 7 Specify the settings that are explained in the following table Table 34 VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall NAT T Select Automatic from the drop down list to enable the VPN client and VPN firewall to negotiate NAT T Virtual Private Networking Using IPSec Connections 151 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34 VPN client advanced authentication settings continued Setting Description Local and Remote ID Local ID As the type of ID select DNS from the Local ID drop down list because you specified FQDN in the VPN firewall configuration As the value of the ID enter srx_remote com as the local ID for the VPN client Note The remote ID on the VPN firewall is the local ID on the VPN
46. Client Routes table on the SSL VPN Client screen If the assigned client IP address range is in a different subnet from the local network or if the local network has multiple subnets or if you select split mode tunnel operation you need to define client routes gt To add an SSL VPN tunnel client route 1 Select VPN gt SSL VPN gt SSL VPN Client The SSL VPN Client screen displays see Figure 127 on page 206 2 In the Add Routes for VPN Tunnel Clients section of the screen specify information in the following fields Destination Network The destination network IP address of a local network or subnet For example enter 192 168 1 60 e Subnet Mask The address of the appropriate subnet mask 3 Click the Add table button The new client route is added to the Configured Client Routes table Note If VPN tunnel clients are already connected restart the VPN firewall Restarting forces clients to reconnect and receive new addresses and routes gt To change the specifications of an existing route and to delete an old route 1 Add a new route to the Configured Client Routes table Virtual Private Networking Using SSL Connections 207 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Inthe Configured Client Routes table to the right of the route that is out of date click the Delete table button If an existing route is no longer needed for any reason you can delete it Use Network Resource Objects to
47. Config Reset Del New Phase 1 Ctri N Figure 113 Change the name of the authentication phase the default is Gateway a Right click the authentication phase name b Select Rename c Type GW_ModeConfig d Click anywhere in the tree list pane Note This is the name for the authentication phase that is used only for the VPN client not during IKE negotiation You can view and change this name in the tree list pane This name needs to be a unique name The Authentication pane displays in the Configuration Panel screen with the Authentication tab selected by default Netgear ProSafe VPN Client Professional x Configuration Tools NETGEAR PROSAFE E VPN Configuration Authentication Advanced Certificate E Goba Parameters Built for Business Addresses Interface Any Remote Gateway 10 34 116 22 Authentication Preshared Key eeececcccosose Corfirm eeeceescsesese O Certificate Encryption SDES Authentication SHA 1 Key Group DH2 1024 Figure 114 Virtual Private Networking Using IPSec Connections 185 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Specify the settings that are explained in the following table Table 45 VPN client authentication settings Mode Config Setting Description Interface Select Any from the drop down list Remote Gateway Enter the remote IP address or DNS name of the VPN firewall For example enter 10 34 11
48. DES 3DES AES 128 AES 192 AES 256 IPSec authentication algorithm SHA 1 MD5 IPSec key exchange IKE Manual Key Pre Shared Key PKI X 500 IPSec authentication types Local user database RADIUS PAP RADIUS CHAP IPSec certificates supported CA digital certificate self signed certificate Default Settings and Technical Specifications 304 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the SSL VPN specifications for the VPN firewall Table 78 VPN firewall SSL VPN specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurrent users supported 50 SSL versions SSLv3 TLS1 0 SSL encryption algorithm DES 3DES ARC4 AES 128 AES 192 AES 256 SSL message integrity MD5 SHA 1 MAC MD5 SHA 1 HMAC MD5 SHA 1 SSL authentication types Local user database RADIUS PAP RADIUS CHAP RADIUS MSCHAP RADIUS MSCHAPVv2 WIKI PAP WiKID CHAP MIAS PAP MIAS CHAP NT domain SSL certificates supported CA digital certificate self signed certificate Default Settings and Technical Specifications 305 Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port This appendix contains the following sections e What to Consider Before You Begin e Overview of the Planning Process Inbou
49. DMZ WAN inbound rules this field is not applicable when the WAN mode is NAT because your network presents only one IP address to the Internet QoS Profile The priority assigned to IP packets of this service The priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The VPN firewall marks the Type of Service ToS field as defined in the QoS profiles that you create For more information see Create Quality of Service QoS Profiles on page 116 Note There is no default QoS profile on the VPN firewall After you have created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Note This field is not applicable to LAN DMZ rules Firewall Protection 89 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19 Inbound rules overview continued Setting Description Log The setting that determines whether packets covered by this rule are logged The options are Always Always log traffic considered by this rule whether it matches or not This is useful when you are debugging your rules e Never Never log traffic considered by this rule whether it matches or not Bandwidth Profile Bandwidth limiting determines the way in whi
50. DN fields Select Portal The drop down list shows the SSL portals that are listed on the Portal Layout screen From the drop down list select the SSL portal with which the domain is associated For information about how to configure SSL portals see Create the Portal Layout on page 198 Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS WiKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active Directory Domain The active directory domain name that is required for Microsoft Active Directory authentication Managing Users Authentication and Certificates 222 4 5 6 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to save your settings The domain is added to the List of Domains table If you use local authentication make sure that it is not disabled Select the No radio button in the Local Authentication section of the Domain screen see Figure 136 on page 221 Note A combination of local and external authentication is supported WARNING If you disable l
51. Disconnect table button to terminate the connection gt To view the status of current SSL VPN tunnels Select VPN gt Connection Status gt SSL VPN Connection Status The SSL VPN Connection Status screen displays IPSec VPN SSLVYPN Certificates IPSec PN Connection Status By iM id Bear Help Group IP Address Login Time Action geardomain 192 168 180 999 Wed Feb 24 17 32 56 2010 kA Disconnect Figure 171 The active SSL VPN user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the Disconnect table button to the right of the user s table entry View the VPN Logs gt To view the IPSec VPN logs Select Monitoring gt VPN Logs The VPN Logs submenu tabs display with the IPSec VPN Logs screen in view Monitoring System Access and Performance 283 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring IPSec PN Logs 45 SRX5308 IKE IKE started_ 145 SRX5308 IKE persed IKE ae with identifer client2 _ 03 SRX5308 IKE IPSec configuration an et a client2 delete 103 SRX5308 IKE no phase found for client2 _ 2010 Feb 18 21 2 2010 Feb 18 21 2 Refresh Log clear Log Figure 172 To view the SSL VPN log Select Monitoring gt VPN Logs gt SSL VPN Logs The SSL VPN Logs screen displays CL SSL YPN Logs
52. Identifier IKE SA Parameters Note Generally the default settings work well for a Mode Config configuration Encryption Algorithm From the drop down list select the 3DES algorithm to negotiate the security association SA Authentication Algorithm From the drop down list select the SHA 1 algorithm to be used in the VPN header for the authentication process Authentication Method Select Pre shared key as the authentication method and enter a key in the Pre shared key field Pre shared key A key with a minimum length of 8 characters and no more than 49 characters Do not use a double quote in the key In this example we are using H8 spsf3 JYK2 Diffie Hellman DH Group The DH Group sets the strength of the algorithm in bits From the drop down list select Group 2 1024 bit SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying needs to occur The default is 28800 seconds 8 hours However for a Mode Config configuration NETGEAR recommends 3600 seconds 1 hour Enable Dead Peer Detection Note See also Configure Keep alives and Dead Peer Detection on page 191 Select a radio button to specify whether or not Dead Peer Detection DPD is enabled e Yes This feature is enabled When the VPN firewall detects an IKE connection failure it deletes the IPSec and IKE SA and forces a reestablishment of
53. Initiation Protocol SIP 111 session limits configuring 109 logging dropped packets 271 severities syslog 273 SHA 1 Secure Hash Algorithm 1 IKE policies 163 ModeConfig 179 self certificate requests 238 VPN policies 171 signature key length certificates 239 Simple Network Management Protocol SNMP configuring 254 256 description 13 single WAN port mode bandwidth capacity 242 description 32 SIP Session Initiation Protocol 111 sniffer 295 SNMP Simple Network Management Protocol configuring 254 256 description 13 software downloading and upgrading 259 versions 275 source MAC filtering configuring MAC addresses 126 logging matched packets 271 reducing traffic 245 specifications physical and technical 303 speed ports 53 SPI Security Parameters Index 170 SPI stateful packet inspection 11 81 170 split tunnel SSL VPN 205 spoofing MAC addresses 297 SSL certificate warning and downloading 21 SSL VPN ActiveX based client 196 cache control and cleaner 201 certificates supported 305 clients and routes configuring 205 208 configuration steps 197 description 11 domains groups and users 202 FQDNs port forwarding 198 logs 218 network resources and objects 208 210 policies managing 210 215 port forwarding configuring 202 205 description 197 portals accessing 216 218 creating 198 201 specifications 305 split tunnel 205 354 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 status 218
54. Kinds of Traffic on page 82 If necessary you can also create firewall rules to apply to a single PC see Enable Source MAC Filtering on page 126 Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing their IP address Manage the Network Database You can view the network database manually add or remove database entries and edit database entries gt To view the network database 1 Select Network Configuration gt LAN Settings gt LAN Groups The LAN Groups screen displays The following figure shows some examples in the Known PCs and Devices table Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing Qos LAN Setup EE DETLITIS LAN Multi homing Edit Group Names Name IP Address MAC Address Profile Name Action Marketing 192 168 1 20 a1 b1 11 22 1a 1b defaultVlan Edit Sales 192 174 60 78 81 1 33 44 28 2b SalesVLAN edit O Salesemea 192 174 60 92 d1 e1 55 56 9e 8f SalesVLAN Edit DHCP Assigned IP Address select All l Delete Save Binding Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Profile Name Add Fixed set on CHEI Groupi v defaultvlan ada Figure 34 LAN Configuration 68 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Known PCs and Devices table lists the entries in the network database For each PC or device the following fields are di
55. LAN WAN outbound rules also referred to as service blocking e DMZ WAN outbound rules also referred to as service blocking e Content filtering e Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules Service Blocking You can control specific outbound traffic from LAN to WAN and from the DMZ to WAN The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic If you have not defined any rules only the default rule is listed The default rule allows all outgoing traffic Any outbound rule that you create restricts outgoing traffic and therefore decreases the traffic load on the WAN side WARNING This feature is for advanced administrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for the connections that are covered by the rule e BLOCK always e BLOCK by schedule otherwise allow e ALLOW always e ALLOW by schedule otherwise block The following section summarizes the various criteria that you can apply to outbound rules in order to reduce traffic For more information about outbound rules see Outbound Rules Service Blocking on page 83 For detailed procedures on how to configure outbound rules see Set LAN WAN Rules on page 91 and Set DMZ WAN Rules on page 95 When you define outbound firewall rules you can further refine their application according to the following criteria e Services You can spe
56. Policy Name A descriptive name of the SSL VPN policy for identification and Resource management purposes Defined From the drop down list select a network resource that you Resources have defined on the Resources screen see Use Network Resource Objects to Simplify Policies on page 208 Permission From the drop down list select whether the policy permits PERMIT or denies DENY access IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The IP address to which the SSL VPN policy is applied Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the drop down list select the service to which the SSL VPN policy is applied VPN Tunnel The policy is applied only to a VPN tunnel Port Forwarding The policy is applied only to port forwarding All The policy is applied both to a VPN tunnel and to port forwarding Permission From the drop down list select whether the policy permits PERMIT or denies DENY access Virtual Private Networking Using SSL Connections 214 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54 Add SSL VPN Policy
57. Qrelp Direction Outbound Minimum Bandwidth bo je Max Outbound B Outbound Maximum Bandwidth fioo dice 0 100000 Kbps Inbound Minimum Bandwidth fo e Ma Inbound Maximum Bandwidth Type Individual Maximum Number of Instances Figure 66 3 Enter the settings as explained in the following table Table 24 Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes Direction From the Direction drop down list select the direction in which the bandwidth profile is applied Outbound Traffic The bandwidth profile is applied only to outbound traffic Specify the outbound minimum and maximum bandwidths Inbound Traffic The bandwidth profile is applied only to inbound traffic Specify the inbound minimum and maximum bandwidths Both The bandwidth profile is applied both to outbound and inbound traffic Specify both the outbound and inbound minimum and maximum bandwidths Outbound Minimum The outbound minimum allocated bandwidth in Kbps The default Bandwidth setting is 0 Kbps Outbound Maximum The outbound maximum allowed bandwidth in Kbps The default Bandwidth setting is 100 Kbps you cannot configure less than 100 Kbps the maximum allowable bandwidth is 100000 Kbps Inbound Minimum The inbound minimum allocated bandwidth in Kbps The default Bandwidth setting is 0 Kops
58. Select the check box to the left of the policy that you want to delete or click the Select All table button to select all IKE Policies 2 Click the Enable or Disable table button For information about how to add or edit a VPN policy see the next section Manually Add or Edit a VPN Policy Note You cannot delete or edit an IKE policy for which the VPN policy is active You first need to disable or delete the VPN policy before you can delete or edit the IKE policy Virtual Private Networking Using IPSec Connections 167 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manually Add or Edit a VPN Policy gt To manually add a VPN policy 1 Select VPN gt IPSec VPN gt VPN Policies The VPN Policies screen displays see Figure 106 on page 166 2 Under the List of VPN Policies table click the Add table button The Add New VPN Policy screen displays Operation succeeded Policy Name all Policy Type Select Local Gateway Remote Endpoint 1P Address Hf JL foo iis C Enable NetBios C Enable Rollover WAN2 Enable Keepalive Yes No Ping IP Address ponp Detection Period ko Seconds Reconnect after failure count eal ii Traffic Selection Local 1P Remote IP Start iP Ei sat a nr Hibs ede Dna Subnet mask 7 7 subnet Mask fff i Manual Policy Parameters PI Incoming P Hex 3 8 Chars S PI Outgoina J Hex 3 8 Chars Encryption Algorithm Boes Integr
59. The VPN firewall supports several types of content filtering e Web components blocking You can block the following web component types Proxy Java ActiveX and cookies Some of these components can be used by malicious websites to infect computers that access them Even sites on the Trusted Domains list will be subject to web components blocking when the blocking of a particular web component is enabled Proxy A proxy server or simply proxy allows computers to route connections to other computers through the proxy thus circumventing certain firewall rules For example if connections to a specific IP address are blocked by a firewall rule the requests can be routed through a proxy that is not blocked by the rule rendering the restriction ineffective Enabling this feature blocks proxy servers Java Blocks Java applets from being downloaded from pages that contain them Java applets are small programs embedded in web pages that enable dynamic functionality of the page A malicious applet can be used to compromise or infect computers Enabling this setting blocks Java applets from being downloaded ActiveX Similar to Java applets ActiveX controls are installed on a Windows computer running Internet Explorer A malicious ActiveX control can be used to compromise or infect computers Enabling this setting blocks ActiveX applets from being downloaded Cookies Cookies are used to store session information by websites that usually require
60. To add a server and a port number 1 Select VPN gt SSL VPN gt Port Forwarding The Port Forwarding screen displays The following figure shows an example Virtual Private Networking Using SSL Connections 202 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPSec VPN Certificates Connection Status Policies Resources Portal Layouts SSL YPN Client KAARE Local Server IP Address o 192 168 55 18 Add New Application for Port Forwarding Local Server IP Address Local Server IP Address o 192 168 55 18 Add New Host Name for Port Forwarding Local Server IP Address Figure 126 Operation succeeded TCP Port Number 21 TCP Port Number Eas Fully Qualified Domain Name ftp customer com Fully Qualified Domain Name as Action Delete Add add uelp Action delete Add aad 2 In the Add New Application for Port Forwarding section of the screen specify information in the following fields IP Address The IP address of an internal server or host computer that a remote user has access to TCP Port The TCP port number of the application that is accessed through the SSL VPN tunnel The following table lists some commonly used TCP applications and port numbers Table 51 Port forwarding applications TCP port numbers TCP application Port number FTP data usually not needed 20 FTP Control Protocol 21 SSH 22a Telnet 23
61. Type Idap LDAP attribute 1 LDAP attribute 2 LDAP attribute 3 LDAP attribute 4 Idle Timeout Apply Reset Figure 139 3 Modify the idle time out period in minutes in the Idle Timeout field For a group that is associated with a domain that uses the LDAP authentication method configure the LDAP attributes in fields 1 through 4 as needed 4 Click Apply to save your changes The modified group is displayed in the List of Groups table Managing Users Authentication and Certificates 226 gt ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure User Accounts When you create a user account you need to assign the user to a user group When you create a group you need to assign the group to a domain that specifies the authentication method Therefore you should first create any domains then groups and then user accounts You can create different types of user accounts by applying predefined user types e Administrator A user who has full access and the capacity to change the VPN firewall configuration that is read write access e SSL VPN User A user who can only log in to the SSL VPN portal e IPSEC VPN User A user who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configure Extended Authentication XAUTH on page 172 e Guest user A user who can only view the VPN firewall configuration that is read only access To
62. VPN Firewall to the Internet 48 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 9 Add QoS screen settings for a rate control profile continued Setting Description Congestion Priority From the drop down list select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall Default Traffic is mapped based on the ToS field in the packet s IP header High This queue includes the following DSCP values AF41 AF42 AF43 AF44 and CS4 Medium high This queue includes the following DSCP values AF31 AF32 AF33 AF34 and CS3 Medium This queue includes the following DSCP values AF21 AF22 AF23 AF24 and CS2 Low This queue includes the following DSCP values AF11 AF12 AF13 AF14 CS1 0 and all other values Hosts From the drop down list select the IP address range of IP addresses or group to which the profile is applied Single IP Address The profile is applied to a single IP address Enter the address in the Start IP field IP Address Range The profile is applied to an IP address range Enter the start address of the range in the Start IP field and the end address of the range in the End IP field e Group The profile is applied to a group Select the group from the Select Group drop down list and specify how the bandwidth is allocated by making a selection fr
63. access by Policy 3 The IP address range 10 0 0 5 10 0 0 20 is more specific than the IP address range that is defined in Policy 1 e anFTP server at ftp company com the user would be granted access by Policy 3 A single host name is more specific than the IP address range that is configured in Policy 2 Note The user would not be able to access ftp company com using its IP address 10 0 1 3 The VPN firewall s policy engine does not perform reverse DNS lookups View Policies gt To view the existing policies follow these steps 1 Select VPN gt SSL VPN The SSL VPN submenu tabs display with the Policies screen in view The following figure shows some examples Virtual Private Networking Using SSL Connections 211 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ZUGE Resources Portal Layouts SSL YPN Client Port Forwarding Operation succeeded View List of SSL PN Policies for Global Group User admin Display ii List of SSL YPN Policies E Name Type Service Destination Permission Action l t 4 1 o RoadWarriorPolicy Group VPN Tunnel TestResource Permit edic 1 A 4 select all Delete Add Related Policies Table populated only for Group User 2 Name Type Service Destination default Global All 0 0 0 0 0 FTPServerPolicy L Global L Port Forwarding FTPServer Figure 130 2 Make your selection from the following Query options e Click Globa
64. address that you want to modify The Edit Secondary LAN IP address screen displays 2 Modify the IP address or subnet mask or both 3 Click Apply to save your settings gt To delete one or more secondary LAN IP addresses 1 On the LAN Multi homing screen see the previous screen select the check box to the left of the secondary IP address that you want to delete or click the Select All table button to select secondary IP addresses 2 Click the Delete table button Manage Groups and Hosts LAN Groups The Known PCs and Devices table on the LAN Groups screen see Figure 34 on page 68 contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall or have been discovered by other means Collectively these entries make up the network database The network database is updated by these three methods e DHCP client requests When the DHCP server is enabled it accepts and responds to DHCP client requests from PCs and other network devices These requests also generate an entry in the network database This is an advantage of enabling the DHCP Server feature e Scanning the network The local network is scanned using Address Resolution Protocol ARP requests The ARP scan detects active devices that are not DHCP clients Note In large networks scanning the network might generate unwanted traffic Note When the VPN firewall receives a reply to an ARP request it might not be
65. are used to block or allow specific traffic passing through from one side to the other You can configure up to 600 rules on the VPN firewall Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the VPN firewall are Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside The firewall rules for blocking and allowing traffic on the VPN firewall can be applied to a combination of LAN WAN traffic DMZ WAN traffic and LAN DMZ traffic Table 17 Number of supported firewall rule configurations Traffic rule Maximum number of Maximum number of Maximum number of outbound rules inbound rules supported rules LAN WAN 200 200 200 DMZ WAN 200 200 200 Firewall Protection 82 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17 Number of supported firewall rule configurations continued Traffic rule Maximum number of Maximum number of Maximum number of outbound rules inbound rules supported rules LAN DMZ 200 200 200 Maximum Number of 300 300 600 Supported Rules The ma
66. as the results of these cyber crime activities Security threats and hackers have become more sophisticated and user names encrypted passwords and the presence of firewalls are no longer enough to protect the networks from being compromised IT professionals and security experts have recognized the need to go beyond the traditional authentication process by introducing and requiring additional factors to the authentication process NETGEAR has also recognized the need to provide more than just a firewall to protect the networks NETGEAR has implemented a more robust authentication system known as Two Factor Authentication 2FA or T FA to help address the fast growing network security issues What Are the Benefits of Two Factor Authentication Stronger security Passwords cannot efficiently protect the corporate networks because attackers can easily guess simple passwords or users cannot remember complex and unique passwords One time passcode OTP strengthens and replaces the need to remember complex password e No need to replace existing hardware Two Factor Authentication can be added to existing NETGEAR products through a firmware upgrade 341 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Quick to deploy and manage The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products e Proven regulatory compliance Two Factor Authentication has been used as a mandatory authentication process for m
67. at Gateway A port WAN_B1 is active and port WAN_B2 is inactive at Gateway B 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Before Rollover WAN_A 1 IP WAN B1 IP Gateway A netgearA dyndns org 3 netgearB dyndns org Gateway B LAN IP O u 10 35 01 AN_A2 port inactive WAN_B2 port inactive VPN Router WAN_A2 IP N A WAN_B2 IP N A VPN Router at office B 172 23 9 1 at office A Fully Qualified Domain Names FQDN required for Fixed IP addresses required for Dynamic IP addresses Figure 195 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you always need to use an FQDN because the active WAN ports could be either WAN_A1 WAN_A2 WAN_B1 or WAN _B2 that is the IP address of the active WAN ports is not known in advance Network Planning for Multiple WAN Ports 317 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After a rollover of a gateway WAN port the previously inactive gateway WAN port becomes the active port port WAN_A2 in the following figure and one of the gateways needs to reestablish the VPN tunnel 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports After Rollover WAN_A T IP N A WAN B1 IP Gateway A WAN _A1 port inactive netgearB dyndns org Gateway B LAN IP lt lt ee o 10 5 61 netgear dyndns org Ae RE e 172 23 9 1 VPN Router WAN_A2 IP WAN_B2IP N A VPN Router at office A Fully Qualified Domain Names FQDN
68. authentication modes that are available for this configuration are User Database RADIUS PAP or RADIUS CHAP e IPSec Host The VPN firewall functions as a VPN client of the remote gateway In this configuration the VPN firewall is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration From the drop down list Type select one of the following authentication types User Database XAUTH occurs through the VPN firewall s user database You can add users on the Add User screen see User Database Configuration on page 174 e Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the VPN firewall connects to a RADIUS server For more information see RADIUS Client Configuration on page 174 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 174 Username The user name for XAUTH Password The password for XAUTH 8 Click Apply to save your settings The IKE policy is added to the List of IKE Policies table Configure the NETGEAR VPN Client for Mode Config Operation When the Mode Config feature is enabled the following information is negotiated between the VPN client and the VPN firewall during the authentication p
69. behind a NAT device __ Explanation These logs are generated when the remote WAN host is connected through a device such as the VPN firewall NAT is detected before phase 1 is established Message 3 NAT D does not match the remote host Message 6 The VPN firewall confirms that the remote host or the peer is behind a NAT device Recommended Action None SSL VPN Logs This section describes the log messages that are generated by SSL VPN policies Table 104 System logs SSL VPN tunnel WAN host and interface Message 2000 Jan 1 03 44 55 SRX5308 sslvpntunnel id SRX5308 time 2000 1 1 3 44 55 fw 20 0 0 2 pri 6 rule access policy proto SSL VPN Tunnel src 20 0 0 1 user sai dst 20 0 0 2 arg op result rcvd msg SSL VPN Tunnel Explanation A SSL VPN tunnel is established for ID SRX5308 with the WAN host 20 0 0 1 through WAN interface 20 0 0 2 and logged in with the username sai Recommended Action None Table 105 System logs VPN log messages port forwarding WAN host and interface Message 2000 Jan 1 01 30 08 SRX5308 portforwarding id SRX5308 time 2000 1 1 1 30 8 fw 20 0 0 2 pri 6 rule access policy proto Port Forwarding src 20 0 0 1 user sai dst 20 0 0 2 arg op result rcvd msg Port Forwarding Explanation A SSL VPN tunnel through port forwarding is established for ID SRX5308 with the WAN host 20 0 0 1 through WAN interface 20 0
70. check box to unmask the time hour minute second Day Month and Year fields Enter the date and time Select VPN Policy When the VPN firewall is configured to synchronize to an NTP server on the VPN select the VPN policy from the drop down list For information about configuring VPN policies see Configure VPN Policies on page 165 Network and System Management 261 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 64 Time Zone screen settings continued Setting Description NTP Server default or custom From the drop down list select an NTP server e Use Default NTP Servers The VPN firewall s RTC is updated regularly by contacting a default NETGEAR NTP server on the Internet e Use Custom NTP Servers The VPN firewalls RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you need to specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default NETGEAR NTP servers Note A list of public NTP servers is available at http ntp isc org bin view Servers WebHome Server 1 Name IP Enter the IP address or host name the primary NTP server Address Server 2 Name IP Enter the IP address or host name the backup NTP server Address 3 Click Apply to save your settings N
71. count B Figure 123 3 Select the Enable NetBIOS check box 4 Click Apply to save your settings Virtual Private Networking Using IPSec Connections 195 Virtual Private Networking Using SSL Connections The VPN firewall provides a hardware based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources bypassing the need for a preinstalled VPN client on their computers Using the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions the VPN firewall can authenticate itself to an SSL enabled client such as a standard web browser Once the authentication and negotiation of encryption information are completed the server and client can establish an encrypted connection With support for up to 50 dedicated SSL VPN tunnels the VPN firewall allows users to easily access the remote network for a customizable secure user portal experience from virtually any available platform This chapter contains the following sections SSL VPN Portal Options Overview of the SSL Configuration Process Create the Portal Layout Configure Domains Groups and Users Configure Applications for Port Forwarding Configure the SSL VPN Client Use Network Resource Objects to Simplify Policies Configure User Group and Global Policies Access the SSL Portal Login Screen View the SSL VPN Connection Status and SSL VPN Logs SSL VPN Portal Options The VPN fi
72. create an individual user account 1 Select Users gt Users The Users screen displays The following figure shows the VPN firewalls default users admin and guest and as an example another user in the List of Users table hHelp Name Group Type Authentication Domain Action admin geardomain Administrator geardomain Beit H Policies quest geardomain Guest User geardomain edit a Policies C CustomerSupportContract Customers SSL VPN User Customers edit E Policies Default Users Select All Delete Add Figure 140 The List of Users table displays the users with the following fields e Check box Allows you to select the user in the table e Name The name of the user If the user name is appended by an asterisk the user is a default user that came preconfigured with the VPN firewall and cannot be deleted e Group The group to which the user is assigned e Type The type of access credentials that are assigned to the user Authentication Domain The authentication domain to which the user is assigned e Action The Edit table button that provides access to the Edit User screen the Policies table button that provides access to the policy screens Managing Users Authentication and Certificates 227 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Click the Add table button The Add User screen displays Add User Figure 141 Operation succeeded Username User Type
73. endpoint to keep the tunnel alive You need to enter the ping IP address detection period and the maximum number of keep alive requests that the VPN firewall sends see below e No This feature is disabled This is the default setting Ping IP Address The IP address that the VPN firewall pings The address needs to be of a host that can respond to ICMP ping requests Virtual Private Networking Using IPSec Connections 192 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 48 Keep alive settings continued Setting Description Enable Keepalive continued Detection Period The period in seconds between the keep alive requests The default setting is 10 seconds Reconnect after failure count The maximum number of keep alive requests before the VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint The default is 3 keep alive requests 4 Click Apply to save your settings Configure Dead Peer Detection The Dead Peer Detection DPD feature maintains the IKE SA by exchanging periodic messages with the remote VPN peer gt To configure DPD on a configured IKE policy 1 Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view see Figure 104 on page 160 2 Inthe List of IKE Policies table click the Edit table button to the right of the IKE policy that you want to edit The E
74. failures before the VPN failure count firewall tears down the connection and then attempts to reconnect to the peer The default is 3 failures 4 Click Apply to save your settings Configure NetBIOS Bridging with IPSec VPN Windows networks use the Network Basic Input Output System NetBIOS for several basic network services such as naming and neighborhood device discovery Because VPN routers do not normally pass NetBIOS traffic these network services do not function for hosts on opposite ends of a VPN connection To solve this problem you can configure the VPN firewall to bridge NetBIOS traffic over the VPN tunnel gt To enable NetBIOS bridging on a configured VPN tunnel 1 Select VPN gt IPSec VPN gt VPN Policies The VPN Policies screen displays see Figure 106 on page 166 2 In the List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays The following figure shows only the top part of the screen with the General section Virtual Private Networking Using IPSec Connections 194 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit VPN Policy Operation succeeded General Policy Name Policy Type Select Local Gateway Remote Endpoint IP Address C Enable NetBIos E Enable Rollover WANZ Enable Keepalive Yes No Ping IP Address Detection Period 20 Seconds Reconnect after failure
75. firewall displays the total number of dropped packets that violate either the IP to MAC binding or the MAC to IP binding Note You can bind IP addresses to MAC addresses for DHCP assignment on the LAN Groups submenu See Manage the Network Database on page 68 As an example assume that three computers on the LAN are set up as follows e Hosti MAC address 00 01 02 03 04 05 and IP address 192 168 10 10 e Host2 MAC address 00 01 02 03 04 06 and IP address 192 168 10 11 e Host3 MAC address 00 01 02 03 04 07 and IP address 192 168 10 12 If all of the preceding host entry examples are added to the IP MAC Bindings table the following scenarios indicate the possible outcome e Hosti Matching IP address and MAC address in the IP MAC Bindings table e Host2 Matching IP address but inconsistent MAC address in the IP MAC Bindings table e Host3 Matching MAC address but inconsistent IP address in the IP MAC Bindings table In this example the VPN firewall blocks the traffic coming from Host2 and Host3 but allows the traffic coming from Host1 to any external network The total count of dropped packets is displayed gt To set up IP MAC bindings 1 Select Security gt Address Filter gt IP MAC Binding The IP MAC Binding screen displays See the following figure which shows one binding in the IP MAC Binding table as an example Firewall Protection 128 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Securit
76. from the corresponding drop down list select the backup WAN interface After an auto rollover has occurred the VPN tunnel will be reestablished using the backup WAN interface End Point Information 2 What is the Remote Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default remote FQDN srx_remote com is automatically entered Use the default remote FQDN or enter another FQDN What is the Local Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default local FQDN srx_local com is automatically entered Use the default local FQDN or enter another FQDN Secure Connection Remote Accessibility What is the remote LAN IP Address What is the remote LAN Subnet Mask These fields are masked out for VPN client connections a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and an FQDN is not supported 3 Click Apply to save your settings The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled Virtual Private Networking Using IPSec Connections 142 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 SSLYPN Certificates Connection Status Operation succeeded belp Local Remote Auth Encr Action Auto Policy
77. icon Purple icon at least one VPN tunnel opened no VPN tunnel opened Figure 100 NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client Right click the VPN client icon in the system tray and select Console The VPN Client Console Active screen displays Virtual Private Networking Using IPSec Connections 156 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 F VPN Console ACTIVE ret VPNCONF TGBIKE_STARTED received 2011 06 24 15 43 41 Default SA Gateway P1 SEND phase 1 Aggressive Mode 5A KEY_EXCH NONCE ID VID VID v10 ID v10 2011 06 24 15 43 42 Default SA Gateway P1 RECV phase 1 Aggressive Mode HASH SA KEY_EXCH NONCE ID NAT_D NAT_D VID VID VID 2011 06 24 15 43 42 Default SA Gateway P1 SEND phase 1 Aggressive Mode HASH NAT_D NAT_D 2011 06 24 15 43 42 Defauk phase 1 done initiator id remote com responder id local com 2011 06 24 15 43 42 Default SA Gateway Tunnel P2 SEND phase 2 Quick Mode HASH SA KEY_EXCH NONCE ID ID 2011 06 24 15 43 42 Defauk 5A Gateway P1 RECY Informational HASH NOTIFY 2011 06 24 15 43 42 Defaut SA Gateway Tunnel P2 RECV phase 2 Quick Mode HASH SA KEY_EXCH NONCE ID 1D 2011 06 24 15 43 42 Default SA Gateway Tunnel P2 SEND phase 2 Quick Mode HASH 2011 06 24 15 43 59 Defaut SA Gateway P1 SEND Informational HASH DELETE 2011 06 24 15 43 59 Defauk l
78. incoming and outgoing Internet traffic is blocked but incoming and outgoing email traffic is still allowed Send e mail alert An email alert is sent when traffic is blocked Ensure that emailing of logs is enabled on the Email and Syslog screen see Activate Notification of Events Alerts and Syslogs on page 269 3 Click Apply to save your settings 4 If you want to enable the traffic meter for another WAN interface select the appropriate WAN Traffic Meter tab for that interface and repeat step 2 and step 3 for that WAN interface Monitoring System Access and Performance 265 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The contents of the WAN2 Traffic Meter WANS Traffic Meter and WAN4 Traffic Meter screens are identical to the WAN1 TrafficMeter screen with the exception of WAN interface number gt To display a report of the Internet traffic by type for the WAN1 interface Click the Traffic by Protocol option arrow in the upper right of the WAN1 Traffic Meter screen Each WAN TrafficMeter screen has a Traffic by Protocol option arrow that enables you to display the Internet traffic by type for that WAN interface The Traffic by Protocol screen appears in a popup window Traffic by Protocol Start Date End Date Incoming Traffic Outgoing Traffic Protocol Total MB MB Per Day Total MB MB Per Day Email Q 0 o HTTP 9 0 0 Others 0 0 0 0 o 0 Total Refresh Figure 160
79. interface appears displaying the Router Status screen For information about this screen see View the System Router Status and Statistics on page 275 Connecting the VPN Firewall to the Internet 21 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LC ml icicles D jile s LAN tu ed Show Statistics System Name SRX5308 Firmware Version Primary 3 0 6 7 Firmware Version Secondary 3 0 6 5 ii LAN LAN Information IP Address Subnet Mask 192 168 1 1 255 255 255 0 192 174 60 22 255 255 255 0 192 168 1 1 255 255 255 0 Port 4 DMZ 192 168 63 22 255 255 255 0 IP Address Subnet Mask Status WAN 1 10 34 116 22 255 255 255 243 UP WAN 2 0 0 0 0 0 0 0 0 WAN 3 0 0 0 0 0 0 0 0 WAN4 0 0 0 0 0 0 0 0 Figure 6 Note After 10 minutes of inactivity the default login time out you are automatically logged out Connecting the VPN Firewall to the Internet 22 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Web Management Interface Menu Layout The following figure shows the menu at the top of the web management interface NETGEAR ETA OSAFE Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing eect LAN Groups LAN Multi homing advanced bxcpe Log 3rd Level Submenu tab blue Option arrow Additional screen for submenu item 2nd Level Configuration menu link gray 1st Level Main Navigation m
80. is set up correctly To ping the VPN firewall from a PC running Windows 95 or later 1 From the Windows toolbar click Start and select Run 2 In the field provided type ping followed by the IP address of the VPN firewall for example ping 192 168 1 1 3 Click OK A message similar to the following should display Pinging lt IP address gt with 32 bytes of data If the path is working you will see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you will see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure that the LAN port LED is on If the LED is off follow the instructions in LAN or WAN Port LEDs Not On on page 295 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and VPN firewall e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your VPN firewall and your workstation are correct and that the addresses are on the same subnet Troubleshooting and Using Online Support 298 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your PC to a Remote Device After verifying that the LAN path wo
81. key RSA Signature Pre shared key Key Length 8 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection Yes No Detection Period Seconds Reconnect after failure count i Extended Authentication XAUTH Configuration Authentication Type User Database None O Edge Device IPSec Host Figure 111 On the Add IKE Policy screen complete the settings as explained the following table Virtual Private Networking Using IPSec Connections 180 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note The settings that are explained in the following table are specifically for a Mode Config configuration Table 38 on page 162 explains the general IKE policy settings Table 44 Add IKE Policy screen settings for a Mode Config configuration Settings Description Mode Config Record Do you want to use Mode Config Record Select the Yes radio button Note Because Mode Config functions only in Aggressive mode selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs Select Mode From the drop down list select the Mode Config record that Config Record you created in step 4 on 179 In this example we are using NA Sales General Policy Name A descriptive name of the IKE policy for identification and ma
82. login However several websites use cookies to store tracking information and browsing habits Enabling this option filters out cookies from being created by a website Note Many websites require that cookies be accepted in order for the site to be accessed correctly Blocking cookies might interfere with useful functions provided by these websites e Keyword blocking domain name blocking You can specify up to 32 words that should they appear in the website name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall Firewall Protection 123 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of trusted domains Access to the domains or keywords on this list by PCs even those in the groups for which keyword blocking has been enabled will still be allowed without any blocking Keyword application examples e If the keyword XXX is specified the URL www zzyyqq com xxx html is blocked as is the newsgroup alt pictures XXX e If the keyword com is specified only websites with other domain suffixes such as edu or gov can be viewed
83. name To modify the SNMP identification information 1 Select Administration gt SNMP The SNMP screen displays see Figure 154 on page 254 2 Click the SNMP System Info option arrow in the upper right of the screen link The SNMP SysConfiguration screen displays SNMP SysConfiguration SysName SRX5308 Figure 156 3 Modify any of the information that you want the SNMP manager to use You can edit the system contact system location and system name 4 Click Apply to save your settings Manage the Configuration File The configuration settings of the VPN firewall are stored in a configuration file on the VPN firewall This file can be saved backed up to a PC retrieved restored from the PC or cleared to factory default settings Once the VPN firewall is installed and works correctly make a backup of the configuration file to a computer If necessary you can later restore the VPN firewall settings from this file The Settings Backup and Firmware Upgrade screen lets you do the following e Back up and save a copy of the current settings e Restore saved settings from the backed up file e Revert to the factory default settings e Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version Network and System Management 256 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To display the Settings Backup and Firmware Upgrade screen Select Administratio
84. name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the Disconnect table button to the right of the user s table entry gt To view the SSL VPN Logs Select Monitoring gt VPN Logs gt SSL VPN Logs The SSL VPN Logs screen displays Monitoring Router Status Active Users Traffic Meter Diagnostics Firewall Logs amp E mail IPSec YPN Logs EELS LOERT C No Data Available E Refresh Log clear Log Figure 135 Virtual Private Networking Using SSL Connections 218 Managing Users Authentication and Certificates This chapter describes how to manage users authentication and security certificates for IPSec VPN and SSL VPN This chapter contains the following sections e Configure VPN Authentication Domains Groups and Users Manage Digital Certificates Configure VPN Authentication Domains Groups and Users Users are assigned to a group and a group is assigned to a domain Therefore you should first create any domains then groups then user accounts You need to create name and password accounts for all users who should be able connect to the VPN firewall This includes administrators and SSL VPN clients Accounts for IPSec VPN clients are required only if you have enabled Extended Authentication XAUTH in your IPSec VPN configuration Users connecting to the VPN firewall need to be authenticat
85. obtain an IP address automatically from the VPN firewall via DHCP gt To connect and log in to the VPN firewall 1 Start any of the qualified web browsers as explained in Qualified Web Browsers on page 20 2 Enter https 192 168 1 1 in the address field The NETGEAR Configuration Manager Login screen displays in the browser Connecting the VPN Firewall to the Internet 20 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note The VPN firewall factory default IP address is 192 168 1 1 If you change the IP address you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall OSAFE NETGEAR A Feary i NETGEAR Configuration Manager Login Username admin Password Passcode Domain 2009 Copyright NETGEAR Figure 5 Note The first time that you remotely connect to the VPN firewall with a browser via an SSL connection you might get a warning message regarding the SSL certificate Follow the directions of your browser to accept the SSL certificate In the Username field tyoe admin Use lower case letters In the Password Passcode field type password Here too use lower case letters Note The VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection In the Domain drop down list leave the default selection which is geardomain Click Login The web management
86. of the matching IKE policies are acceptable to the remote VPN gateway then a VPN tunnel cannot be established 2 An IKE session is established using the security association SA settings that are specified in a matching IKE policy e Keys and other settings are exchanged e An IPSec SA is established using the settings that are specified in the VPN policy The VPN tunnel is then available for data transfer When you use the VPN Wizard to set up a VPN tunnel an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies from the IKE Policies screen Virtual Private Networking Using IPSec Connections 159 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IKE Policies Screen gt To access the IKE Policies screen Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view The following figure shows some examples SSL VPN Certificates Connection Status HIRIE YPN Policies YPN Wizard Mode Config RADIUS Client Operation succeeded Help Name Mode Local ID Remote ID Encr Auth DH Action g GW1 to GW2 Main 10 34 116 22 10 144 28 226 3DES SHA 1 Group 2 1024 bit Medic Client to mainoffice Aggressive srx_local com srx_rernote com 3DES SHA 1 Group 2 1024 bit Edit 7 Select All Delete Add Figure 104 Each policy contai
87. on page 241 Managing Users Authentication and Certificates 235 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage CA Certificates gt To view and upload trusted certificates Select VPN gt Certificates The Certificates screen displays The following figure shows the top section of the screen with the trusted certificate information and one example certificate in the Trusted Certificates CA Certificate table Network Configuration IPSec VPN SSL VPN Connection Status Certificates Operation succeeded CA Identity Subject Name Issuer Name M g O Root CA OUmhttp www cacert org CN CA Cert OmRoot CA OU http www cacert org CN CA Cert Signing Authority emailAddress support cacert org Signing Authority emailAddress support cacert org SelectAll Delete Upload Trusted Certificate Trusted Certificate File R Upload Figure 146 Certificates screen 1 of 3 The Trusted Certificates CA Certificate table lists the digital certificates of CAs and contains the following fields e CA Identity Subject Name The organization or person to whom the digital certificate is issued e Issuer Name The name of the CA that issued the digital certificate Expiry Time The date after which the digital certificate becomes invalid gt To upload a digital certificate of a trusted CA on the VPN firewall 1 Download a digital certificate file from a trusted CA and store it on your comput
88. operable DNS Suffix A DNS suffix to be appended to incomplete DNS search strings This is optional Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is optional Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients This is optional Virtual Private Networking Using SSL Connections 206 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 52 SSL VPN client IP address range settings continued Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients 3 Click Apply to save your settings VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IP address in the client address range Add Routes for VPN Tunnel Clients The VPN tunnel clients assume that the following networks are located across the VPN over SSL tunnel e The subnet that contains the client IP address that is PPP interface as determined by the class of the address Class A B or C e Subnets that are specified in the Configured
89. options described in this user s guide may not be available in your version of the product FCC Requirements for Operation in the United States FCC Information to User This product does not contain any user serviceable components and is to be used with approved antennas only Any product changes or modifications will invalidate all applicable regulatory certifications and approvals This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation FCC Guidelines for Human Exposure This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment This equipment should be installed and operated with minimum distance of 20 cm between the radiator and your body This transmitter must not be co located or operating in conjunction with any other antenna or transmitter FCC Declaration Of Conformity We NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 declare under our sole responsibility that the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 complies with Part 15 of FCC Rules Operation is subject to the following two conditions e This device may not cause harmful interference and e This device must accept any interference received including interference that may cause undesire
90. or disable a policy select the check box adjacent to the circle and click the Enable or Disable table button as appropriate Name The name that identifies the VPN policy When you use the VPN Wizard to create a VPN policy the name of the VPN policy and of the automatically created accompanying IKE policy is the connection name Type Auto or Manual as described previously Auto is used during VPN Wizard configuration Local IP address either a single address range of addresses or subnet address on your LAN Traffic needs to be from or to these addresses to be covered by this policy The subnet address is supplied as the default IP address when you are using the VPN Wizard Remote IP address or address range of the remote network Traffic needs to be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask Auth The authentication algorithm that is used for the VPN tunnel This setting needs to match the setting on the remote endpoint Encr The encryption algorithm that is used for the VPN tunnel This setting needs to match the setting on the remote endpoint To delete one or more VPN polices 1 Select the check box to the left of the policy that you want to delete or click the Select All table button to select all VPN policies 2 Click the Delete table button To enable or disable one ore more VPN policies 1
91. phase If there is no connection the status is IPSec SA Not Established Action Click the Connect table button to build the connection or click the Disconnect table button to terminate the connection View the VPN Firewall IPSec VPN Logs gt To view the IPSec VPN logs Select Monitoring gt VPN Logs The VPN Logs submenu tabs display with the IPSec VPN Logs screen in view Monitoring 45 SRX5308 IKE IKE started_ 45 SRX5308 IKE Adding IKE configuration with identifer client2 _ 45 SRX5308 IKE Adding IPSec configuration with identifier client 04 SRX5308 IKE Adding IPSec configuration with identifier GW1 3 SRX5308 IKE IPSec configuration with identifer client2 delete 3 SRX5308 IKE no phasel found for client2 _ 2010 Feb 18 03 04 03 SRX5308 IKE IKE configuration with identifier client2 deleted 2010 Feb 18 21 27 55 SRX5308 IKE Adding IPSec configuration with identifier Client 2010 Feb 18 21 27 55 SRXS308 IKE Adding IKE configuration with identifer Client to 0 03 SRX5308 IKE no phase2 found for client2 _ 0 0 E Refresh Log Clear Log Figure 103 Click Refresh Log to view the most recent entries Click Clear Log to remove all entries Virtual Private Networking Using IPSec Connections 158 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel a VPN pol
92. primary link comes back up The VPN firewall monitors the status of the primary link using the configured WAN failure detection method This section describes the logs generated when the WAN mode is set to auto rollover Table 92 System logs WAN status auto rollover Message Nov 17 09 59 09 SRX5308 wand LBFO WAN1 Test Failed 1 of 3 times_ Nov 17 09 59 39 SRX5308 wand LBFO WAN1 Test Failed 2 of 3 times_ Nov 17 10 00 09 SRX5308 wand LBFO WAN1 Test Failed 3 of 3 times_ Nov 17 10 01 01 SRX5308 wand LBFO WAN1 Test Failed 4 of 3 times_ Nov 17 10 01 35 SRX5308 wand LBFO WAN1 Test Failed 5 of 3 times_ Nov 17 10 01 35 SRX5308 wand LBFO WAN1 DOWN WAN2 UP ACTIVE WAN2 __ Nov 17 10 02 25 SRX5308 wand LBFO WAN1 Test Failed 6 of 3 times_ Nov 17 10 02 25 SRX5308 wand LBFO Restarting WAN1_ Nov 17 10 02 57 SRX5308 wand LBFO WAN1 Test Failed 7 of 3 times_ Nov 17 10 03 27 SRX5308 wand LBFO WAN1 Test Failed 8 of 3 times_ Nov 17 10 03 57 SRX5308 wand LBFO WAN1 Test Failed 9 of 3 times_ Nov 17 10 03 57 SRX5308 wand LBFO Restarting WAN1_ System Logs and Error Messages 327 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 92 System logs WAN status auto rollover continued Explanation The logs suggest that the failover was detected after 5 attempts instead of 3 However the reason that the messages appear in the log is because of the WAN state tr
93. reestablish the VPN tunnel The gateway WAN port needs to act as the responder 10 5 6 024 Telecommuter Example Dual WAN Ports After Rollover Client B Gateway yaWANLIEIWA NAT Router LAN IP i amp z 10 5 6 1 i bzrouter2 dyndns org 0 0 0 0 VPN Router WAN2 IP NAT Router at employer s Fully Qualified Domain Names FQDN at telecommuters Remote PC main office required for Fixed IP addresses homeofnice running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure 200 The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel VPN Telecommuter Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the remote NAT router is not known in advance The selected gateway WAN port needs to act as the responder Network Planning for Multiple WAN Ports 320 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 10 5 6 0 24 Telecommuter Example Dual WAN Ports Load Balancing Client B Gateway A WANT IP NAT Rout
94. screen see Figure 39 on page 76 select the check box to the left of the route that you want to delete or click the Select All table button to select all routes 2 Click the Delete table button LAN Configuration 77 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Routing Information Protocol Routing Information Protocol RIP RFC 2453 is an Interior Gateway Protocol IGP that is commonly used in internal networks LANs RIP enables a router to exchange its routing information automatically with other routers to dynamically adjust its routing tables and to adapt to changes in the network RIP is disabled by default gt To enable and configure RIP 1 Select Network Configuration gt Routing 2 Click the RIP Configuration option arrow in the upper right of the Routing screen The RIP Configuration screen displays Network Configuration Protocol Binding Dynamic DNS LAN Settings DMZ Setup RIP Configuration RIP Direction RIP Version Disabled v Authentication for RIP 2B 2M required First Key Parameters O Yes MDS Key Id No MDS Auth Key MM DD Not Valid Before BES VED MM DO YYYY Not Valid After MTV Second Key Parameters MDS Key Id MDS Auth Key Not Valid Before Not Valid After en s Figure 40 LAN Configuration 78 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Enter the settings as explained in the following table Tab
95. screen settings continued Setting Description Apply Policy For continued IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The network IP address to which the SSL VPN policy is applied Subnet Mask The network subnet mask to which the SSL VPN policy is applied Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the drop down list select the service to which the SSL VPN policy is applied e VPN Tunnel The policy is applied only to a VPN tunnel Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the drop down list select whether the policy permits PERMIT or denies DENY access All Addresses Policy Name A descriptive name of the SSL VPN policy for identification and management purposes Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to
96. see the information in the previous section Troubleshoot the Web Management Interface on page 295 If the VPN firewall is configured correctly check your Internet connection for example your modem or router to make sure that it is working correctly Troubleshoot the ISP Connection If your VPN firewall is unable to access the Internet you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your VPN firewall requests an IP address from the ISP You can determine whether the request was successful using the web management interface To check the WAN IP address for a WAN interface 1 Launch your browser and navigate to an external site such as www netgear com 2 Access the web management interface of the VPN firewall s configuration at https 192 168 1 1 3 Select Network Configuration gt WAN Settings The WAN Settings screen displays Troubleshooting and Using Online Support 296 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Click the Status button in the Action column of the WAN interface for which you want to view the connection status The Connection Status screen appears in a popup window For more information see View the WAN Port Connection Status on page 285 5 Check that an IP address is shown for the WAN port If 0 0 0 0 is shown your VPN firewall has not obtained an IP address from your ISP If
97. server DHCP 63 75 VLANs 59 LEDs explanation of 14 16 troubleshooting 294 295 licenses ProSafe VPN Client software 11 limits monthly LAN traffic volume 268 monthly WAN traffic volume 265 number of sessions 109 load balancing mode bandwidth capacity 242 configuring 36 38 DDNS 43 description 32 VPN IPSec 134 local area network See LAN local user database 222 location placement of the VPN firewall 17 lock security 16 log messages system logs and error messages DHCP 339 other events 338 routing 336 system 323 understanding 322 logged out automatically 234 250 logging configuring 269 274 terms in log messages 322 login default settings 302 login policies administrators 250 restricting 230 232 login time out changing 233 248 default 22 looking up DNS addresses 290 MAC addresses blocked adding 127 configuring 28 53 defaults LAN and WAN ports 279 filtering 126 format 53 127 IP binding 128 spoofing 297 VLANs 65 main navigation menu web management interface 23 management default settings 303 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 maximum transmission unit MTU 53 MD5 Message Digest algorithm 5 IKE polices 163 ModeConfig 179 RIP 2 79 self certificate requests 238 VPN policies 171 Media Access Control See MAC addresses membership ports VLAN 61 281 Message Digest algorithm 5 See MD5 meta tags HTTP 201 meter LAN traffic 266 WAN traffic 263 metric static routes 77 MIA
98. sessions are established from the same LAN host at IP address 192 168 11 2 and a session limit SESS_LIMIT is set as 1 the FTP packets from the second session are dropped Recommended Action Change the session limit to 2 to prevent packets from being dropped Source MAC Filter Logs Table 115 Other Event Logs Source MAC Filter Logs Message 2000 Jan 1 06 40 10 SRX5308 kernel SRC_MAC_MATCH DROP SRC MAC 00 12 3f 34 41 14 IN LAN OUT WAN SRC 192 168 11 3 DST 209 85 153 103 PROTO ICMP TYPE 8 CODE 0 Explanation Because MAC address 00 12 3f 34 41 14 of LAN host with IP address 192 168 11 3 is filtered so that it cannot access the Internet the packets sent by this MAC address to the Google server at address 09 85 153 103 are dropped Recommended Action Disable source MAC filtering System Logs and Error Messages 338 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bandwidth Limit Logs Table 116 Other Event Logs Bandwidth Limit Outbound Bandwidth Profile Message 2000 Jan 1 00 10 36 SRX5308 kernel BW_LIMIT_DROP IN LAN OUT WAN SRC 192 168 100 2 DST 22 0 0 2 PROTO ICMP TYPE 144 CODE 145 TC_INDEX 10 CLASSID 10 5 Explanation This log is generated when an outbound packet is dropped because the packet size exceeds the specified bandwidth limit Recommended Action Ensure that the packet size is within the specified bandwidth limit Table 117 Other Event
99. static routes or grant full access to the local network subject to additional policies 5 To simplify policies define network resource objects see Use Network Resource Objects to Simplify Policies on page 208 Network resource objects are groups of IP addresses IP address ranges and services By defining resource objects you can more quickly create and configure network policies 6 Configure the SSL VPN policies see Configure User Group and Global Policies on page 210 Policies determine access to network resources and addresses for individual users groups or everyone Create the Portal Layout The Portal Layouts screen that you can access from the SSL VPN menu allows you to create a custom page that remote users see when they log in to the portal Because the page is completely customizable it provides an ideal way to communicate remote access instructions support information technical contact information or VPN related news updates to remote users The page is also well suited as a starting page for restricted users if mobile users or business partners are permitted to access only a few resources the page that you create presents only the resources that are relevant to these users You apply portal layouts by selecting one from the available portal layouts in the configuration of a domain When you have completed your portal layout you can apply the portal layout to one or more authentication domains see Configure Dom
100. that you are never disconnected See Network Planning for Multiple WAN Ports on page 306 for the planning factors to consider when implementing the following capabilities with multiple WAN port gateways e Single or multiple exposed hosts e Virtual private networks VPNs Introduction 10 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Advanced VPN Support for Both IPSec and SSL The VPN firewall supports IPSec and SSL VPN connections e IPSec VPN delivers full network access between a central office and branch offices or between a central office and telecommuters Remote access by telecommuters requires the installation of VPN client software on the remote computer IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients Bundled with a single user license of the NETGEAR ProSafe VPN Client software VPNO1L Supports 125 concurrent IPSec VPN tunnels e SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre installed VPN client on their computers Uses the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions to provide client free access with customizable user portals and support for a wide variety of user repositories Browser based platform independent remote access through a number of popular browsers such as Microsoft Internet Explorer Mozilla Firefox and Apple Safari Provides
101. the DHCP log View Attached Devices To view the network database Select Network Configuration gt LAN Settings gt LAN Groups The LAN Groups screen displays The following figure shows some examples in the Known PCs and Devices table Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS LAN Setup EDETI LAN Multi homing Edit Group Names Name IP Address MAC Address Profile Name Action g Marketing 192 168 1 20 ai b1 11 22 1a 1b Group2 defaultVlan Edit oO Sales 192 174 60 78 a1 1 33 44 2a 2b Group Sales VLAN edie oO SalesEMEA 192 174 60 92 5 56 9e 8f SalesVLAN Edit DHCP Assigned IP Address Select All Delete B save Binding Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Profile Name Add Fixed set on a Groupl v defaultvlan add Figure 176 The Known PCs and Devices table contains a list of all Known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall or have been discovered by other means Collectively these entries make up the network database For each PC or device the following fields are displayed e Check box Allows you to select the PC or device in the table e Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device
102. the Internet Enter a beginning and ending IP address to define the allowed range e Only this PC Allow access from a single IP address on the Internet Enter a single IP address Port Number The default HTTPS port is 443 As an option you can change the port number Telnet Management Select the Yes radio button to enable Telnet remote management and specify the IP address settings Select the No radio button to disable HTTPS remote management which is the default setting Select one of the following IP address settings e Everyone Allow access from any IP address on the Internet e IP address range Allow access from a range of IP addresses on the Internet Enter a beginning and ending IP address to define the allowed range e Only this PC Allow access from a single IP address on the Internet Enter a single IP address 3 Click Apply to save your changes WARNING If you are remotely connected to the VPN firewall and you select the No radio button to disable HTTP remote management you and all other SSL VPN users are disconnected when you click Apply When remote management is enabled you need to use an SSL connection to access the VPN firewall from the Internet You need to enter https not http and type the VPN firewall s WAN IP address in your browser For example if the VPN firewall s WAN IP address is 172 16 0 123 type the following in your browser https 172 16 0 123 The VPN f
103. the VPN firewall to function Server as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name This is optional Enter the domain name of the VPN firewall Start IP Enter the starting IP address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the ending IP address The IP address 192 168 1 2 is the default start address End IP Enter the ending IP address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the IP address of the VPN firewall that is the IP address in the P Setup section of the screen Primary DNS This is optional If an IP address is specified the VPN firewall Server provides this address as the primary DNS server IP address If no address is specified the VPN firewall uses the VLAN IP address as the primary DNS server IP address Secondary DNS This is optional If an IP address is specified the VPN firewall Server provides this address as the secondary DNS server IP address WINS Server This is optional Enter a W
104. the a m or p m radio button Monitoring System Access and Performance 272 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67 Firewall Logs amp E mail screen settings continued Setting Description Enable SysLogs Enable Select one of the following radio buttons to configure the syslog server default setting Yes The VPN firewall sends a log file to a syslog server Complete the SysLog Server and SysLog Severity fields that are shown on the right side of the screen see explanations later in this table e No The VPN firewall does not send a log file to a syslog server which is the SysLog Server The IP address or name of the syslog server SysLog Severity All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server For example if you select LOG_CRITICAL as the severity then the logs with the severities LOG_CRITICAL LOG_ALERT and LOG_EMERG are logged From the SysLog Severity drop down list select one of the following syslog severities LOG EMERG The VPN firewall is unusable LOG ALERT An action needs to be taken immediately LOG CRITICAL There are critical conditions LOG ERROR There are error conditions LOG WARNING There are warning conditions e LOG NOTICE There are normal but significant conditions e LOG INFO Informational messages LOG DEBUG Debug level messag
105. the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The Up and Down table buttons in the Action column allow you to relocate a defined rule to a new position in the table Firewall Protection 90 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 J Security Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering FOR LOLTCI DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced Operation succeeded Default Outbound Policy Allow Always Apply Outbound Services Service Name log Filter LAN Users WAN Users lis QoS Bandwidth Profile Profile 192 168 124 1 o g REAL AUDIO Allow Always 132 168 124 589 ANY NONE NONE Allow by E TACACS schedule 2 ANY 195 125 53 109 NONE NONE else block e Select All Delete T Enable Disable i Inbound Services Help Service LAN WAN Qos Nam me Address Users Users Dertnrton Pro ofile i l Fl g remote Allow 192 168 1 14 ANY WANA NONE Always Select All Delete Enable 16 Disable Figure 41 Set LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet outbound This feature is also referred to as service blocking Y
106. to factory default settings Default Locate and select the upgrade file from your hard disk Figure 181 The VPN firewall reboots During the reboot process the Settings Backup and Firmware Upgrade screen might remain visible The reboot process is complete after several minutes when the Test LED on the front panel goes off A WARNING When you push the hardware reset button or click the software Default button the VPN firewall settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them Note After rebooting with factory default settings the VPN firewall s password is password and the LAN IP address is 192 168 1 1 Problems with Date and Time The Time Zone screen displays the current date and time of day see Configure Date and Time Service on page 260 The VPN firewall uses the Network Time Protocol NTP to obtain the current time from one of several network time servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The VPN firewall has not yet successfully reached a network time server Check that your Internet access settings are configured correctly If you have just completed configuring the VPN firewall wait at least 5 minutes and check the date and time again Troubleshooting and Using On
107. tunnel description 196 user account 227 228 user portal 217 viewing logs 283 stateful packet inspection SPI 11 81 170 static IP address 27 31 static routes configuring 75 77 example 80 statistics viewing 279 status screens viewing 274 stealth mode 107 stratum NTP servers 261 submenu tabs web management interface 23 subnet masks default 61 DMZ port 73 SYN flood 107 syslog and syslog server configuring 269 273 system date and time settings 260 details viewing 277 status viewing 275 updating 259 system log messages explanation 323 T table buttons web management interface 24 tabs submenu web management interface 23 tags meta 201 TCP flood blocking 107 time out 110 TCP IP network troubleshooting 298 technical specifications 303 technical support 2 Telnet management 252 Test LED 15 294 time settings 261 troubleshooting 300 time out error troubleshooting 296 sessions 110 tips for administrators firewall and content filtering 82 ToS Type of Service inbound rules 89 LAN QoS profile 117 outbound rules 85 QoS support 13 WAN QoS profile 46 tracert using with DDNS 253 tracing a route traceroute 290 trademarks 2 traffic blocking configuring content filtering 123 reaching LAN limit 268 reaching WAN limit 265 inbound planning 310 increasing WAN limit 265 management 242 meter or counter LAN 266 WAN 263 rate limiting 54 using bandwidth profiles 248 using QoS 247 v
108. unique name assigned to the VLAN profile e VLAN ID The unique ID or tag assigned to the VLAN profile e Subnet IP The subnet IP address for the VLAN profile e DHCP Status The DHCP server status for the VLAN profile which can be either DHCP Enabled or DHCP Disabled Action The Edit table button that provides access to the Edit VLAN Profile screen Assign a VLAN profile to a LAN port Port 1 Port 2 Port 3 or Port 4 DMZ by selecting a VLAN profile from the drop down list Both enabled and disabled VLAN profiles are displayed in the drop down lists 3 Click Apply to save your settings LAN Configuration 57 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note For information about how to add and edit a VLAN profile including its DHCP options see Configure a VLAN Profile on page 59 VLAN DHCP Options For each VLAN you need to specify the Dynamic Host Configuration Protocol DHCP options DHCP Server The default VLAN VLAN 1 has the DHCP Server option enabled by default allowing the VPN firewall to assign IP DNS server WINS server and default gateway addresses to all computers connected to the VPN firewall s LAN The assigned default gateway address is the LAN address of the VPN firewall IP addresses are assigned to the attached computers from a pool of addresses that you need to specify Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN When you create a new VLAN
109. use a redundant ISP link for backup purposes select the WAN port that should function as the primary link for this mode Ensure that the backup WAN port has also been configured and that you configure the WAN failure detection method on the WAN Advanced Options screen to support auto rollover see Configure the Auto Rollover Mode and Failure Detection Method on page 34 Whichever WAN mode you select you need to also select either NAT or classical routing as explained in the following sections Connecting the VPN Firewall to the Internet 32 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Network Address Translation Network Address Translation NAT allows all PCs on your LAN to share a single public Internet IP address From the Internet there is only a single device the VPN firewall and a single IP address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet Note the following about NAT e The VPN firewall uses NAT to select the correct PC on your LAN to receive any incoming data e If you have only a single public Internet IP address you need to use NAT the default setting e If your ISP has provided you with multiple public IP addresses you can use one address as the primary shared address for Internet access by your PCs and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN This one to one inbound mapping i
110. use in defining firewall rules The Services screen shows a list of services that you have defined as shown in Figure 59 To define a new service first you need to determine which port number or range of numbers is used by the application This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services screen gt To add a customized service 1 Select Security gt Services The Services submenu tabs display with the Services screen in view The screen displays the Custom Services Table with the user defined services The following figure shows some examples Security Schedule Firewall Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering COATE QoS Profiles IP Groups Start Port TCP 3389 TCP 30 Select All Delete Add Custom Service Name Type ICMP Type Start Port C Ger e Figure 59 Firewall Protection 112 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 In the Add Customer Service section of the screen enter the settings as explained in the following table Table 22 Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes Type From the Type drop down list select the Layer 3 protocol that the service uses as its transport protoc
111. used as a VPN concentrator on which one or more gateway tunnels terminate You need to specify the authentication type that should be used during verification of the credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP e IPSec Host Authentication by the remote gateway through a user name and password that are associated with the IKE policy The user name and password that are used to authenticate the VPN firewall need to be specified on the remote gateway Virtual Private Networking Using IPSec Connections 172 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note If a RADIUS PAP server is enabled for authentication XAUTH first checks the local user database for the user credentials If the user account is not present the VPN firewall then connects to a RADIUS server Configure XAUTH for VPN Clients Once the XAUTH has been enabled you need to establish user accounts in the user database to be authenticated against XAUTH or you need to enable a RADIUS CHAP or RADIUS PAP server Note You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy The VPN policy needs to be disabled before you can modify the IKE policy gt To enable and configure XAUTH 1 Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view see Figure 104 on page 160 2 Inthe List of IKE Policies table click the Edit table button to
112. you just stored on your computer 11 Click the Upload table button If the verification process on the VPN firewall approves the digital certificate for validity and purpose the digital certificate is added to the Active Self Certificates table gt To delete one or more SCRs 1 In the Self Certificate Requests table select the check box to the left of the SCR that you want to delete or click the Select All table button to select all SCRs 2 Click the Delete table button View and Manage Self Signed Certificates The Active Self Certificates table on the Certificates screen see Figure 148 on page 238 shows the digital certificates issued to you by a CA and available for use For each self signed certificate the table lists the following information e Name The name that you used to identify this digital certificate e Subject Name The name that you used for your company and that other organizations see as the holder owner of the certificate Serial Number This is a serial number maintained by the CA It is used to identify the digital certificate with the CA Issuer Name The name of the CA that issued the digital certificate e Expiry Time The date on which the digital certificate expires You should renew the digital certificate before it expires gt To delete one or more self signed certificates 1 In the Active Self Certificates table select the check box to the left of the self signed certificate t
113. you know the Ethernet port speed of the modem or router select it from the drop down list Use the half duplex settings only of the full duplex settings do not function correctly Select one of the following speeds from the drop down list e AutoSense Speed autosensing This is the default setting which can sense 1000BaseT speed at full duplex e 10BaseT Half_Duplex Ethernet speed at half duplex e 10BaseT Full_Duplex Ethernet speed at full duplex e 100BaseT Half_Duplex Fast Ethernet speed at half duplex e 100BaseT Full_Duplex Fast Ethernet speed at full duplex e 1000BaseT Full_ Duplex Gigabit Ethernet Router s MAC Address Make one of the following selections Use Default Address Each computer or router on your network has a unique 32 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address To use the VPN firewall s own MAC address select the Use Default Address radio button Use this computer s MAC Select the Use this computer s MAC Address radio button to allow the VPN Address firewall to use the MAC address of the computer you are now using to access the web management interface This setting is useful if your ISP requires MAC authentication Use this MAC Address Select the Use this MAC Address radio button to manually enter the MAC address in the field next to the radio button You would typically enter the MAC address that your ISP is requiring for M
114. 0 3 Complete the settings as explained the following table Table 43 Add Mode Config Record screen settings Settings Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients The Second Pool and Third Pool fields are optional To specify any client pool enter the starting IP address for Second Pool the pool in the Start IP field and enter the ending IP address for the pool in the End IP field Third Pool Note No IP pool should be within the local network IP addresses Use a different range of private IP addresses such as 172 173 xxx xx WINS Server If there is a WINS server on the local network enter its IP address in the Primary field You can enter the IP address of a second WINS server in the Secondary field Virtual Private Networking Using IPSec Connections 178 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 43 Add Mode Config Record screen settings continued Settings Description DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field You can enter the IP address of a second DNS server in the Secondary field Traffic Tunnel Security Level Note Generally the default sett
115. 00 Jan 1 04 13 39 SRX5308 IKE Configuration found for 20 0 0 1 500 _ 2000 Jan 1 04 13 39 SRX5308 IKE Received request for new phase 1 negotiation 20 0 0 2 500 lt gt 20 0 0 1 500 _ 2000 Jan 1 04 13 39 SRX5308 IKE Beginning Identity Protection mode _ 2000 Jan 1 04 13 39 SRX5308 IKE Received Vendor ID RFC XXXX_ 2000 Jan 1 04 13 39 SRX5308 IKE Received Vendor ID DPD_ 2000 Jan 1 04 13 39 SRX5308 IKE DPD is Enabled_ 2000 Jan 1 04 13 39 SRX5308 IKE For 20 0 0 1 500 Selected NAT T version RFC XXXX_ 2000 Jan 1 04 13 39 SRX5308 IKE Setting DPD Vendor ID_ 2000 Jan 1 04 13 39 SRX5308 IKE Received Vendor ID KAME racoon_ 2000 Jan 1 04 13 39 SRX5308 IKE NAT D payload matches for 20 0 0 2 500 __ 2000 Jan 1 04 13 39 SRX5308 IKE NAT D payload matches for 20 0 0 1 500 __ 2000 Jan 1 04 13 39 SRX5308 IKE NAT not detected _ 2000 Jan 1 04 13 39 SRX5308 IKE ISAKMP SA established for 20 0 0 2 500 20 0 0 1 500 with spi c56f7a1d42baf28a 68fcf85e3c148bd8_ 2000 Jan 1 04 13 39 SRX5308 IKE Sending Informational Exchange notify payload INITIAL CONTACT _ 2000 Jan 1 04 13 40 SRX5308 IKE Responding to new phase 2 negotiation 20 0 0 2 0 lt gt 20 0 0 1 0 _ 2000 Jan 1 04 13 40 SRX5308 IKE Using IPSec SA configuration 192 168 11 0 24 lt gt 192 168 10 0 24__ 2000 Jan 1 04 13 41 SRX5308 IKE IPSec SA established ESP Tunnel 20 0 0 1 gt 20 0 0 2 with spi 34046092 0x207808c _ 2000 Jan 1 04
116. 00 Mbps On amber The WAN port is operating at 100 Mbps Off The WAN port is operating at 10 Mbps Internet LED On green The WAN port has a valid Internet connection Off The WAN port is either not enabled or has no link to the Internet Rear Panel The rear panel of the VPN firewall includes a console port a reset button a cable lock receptacle an AC power connection and a power switch Power Reset button Switch Security lock AC power Console port receptacle receptacle Figure 2 Viewed from left to right the rear panel contains the following components 1 Cable security lock receptacle 2 Console port Port for connecting to an optional console terminal The ports has a DB9 male connector The default baud rate is 9600 K The pinouts are 2 Tx 3 Rx 5 and 7 Gnd For information about accessing the command line interface CLI using the console port see Using the Command Line Interface on page 253 3 Factory default reset button Using a sharp object press and hold this button for about eight seconds until the front panel Test light flashes to reset the VPN firewall to factory default settings All configuration settings are lost and the default password is restored 4 AC power receptacle Universal AC input 100 240 VAC 50 60 Hz 5 A power on off switch Introduction 16 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bottom Panel with Product Label The product label on the bottom of the V
117. 13 41 SRX5308 IKE IPSec SA established ESP Tunnel 20 0 0 2 gt 20 0 0 1 with spi 87179451 0x53240bb _ Explanation Message 1 5 IPSec IKE and VPN firewall restart Message 6 7 IPSec and IKE configurations are added with the identifier pol1 Message 8 19 New phase 1 negotiation starts by determining the configuration for the WAN host Dead Peer Detection DPD is enabled and set NAT payload matching and NAT detection are done Message 20 21 ISAKMP SA is established between the 2 WANs and information is exchanged Message 22 23 New phase 2 negotiation starts by using IPSec SA configuration pertaining to the LAN hosts Message 24 25 IPSec SA VPN tunnel is established Recommended Action None System Logs and Error Messages 331 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 98 System logs IPSec VPN tunnel SA lifetime 150 sec in phase 1 300 sec in phase 2 VPN tunnel is reestablished Message 1 2000 Jan 1 04 32 25 SRX5308 IKE Sending Informational Exchange delete payload _ Messages 2 through 6 2000 Jan 1 04 32 25 SRX5308 IKE purged IPSec SA proto_id ESP spi 181708762 _ 2000 Jan 1 04 32 25 SRX5308 IKE purged IPSec SA proto_id ESP spi 153677140 _ 2000 Jan 1 04 32 25 SRX5308 IKE an undead schedule has been deleted pk_recvupdate _ 2000 Jan 1 04 32 25 SRX5308 IKE IPSec configuration with identifier poli deleted successfully _ 2000 Jan 1 04
118. 168 11 2 Explanation This log is generated when the DNS name that is teamf1 is resolved Recommended Action None VPN Log Messages This section explains logs that are generated by IPSec VPN and SSL VPN policies These logs are generated automatically and do not need to be enabled IPSec VPN Logs This section describes the log messages generated by IPSec VPN policies Note The same IPSec VPN log messages can appear in the logs that are accessible when you select the VPN check box on the Firewall Logs amp E mail screen see Activate Notification of Events Alerts and Syslogs on page 269 and in the logs on the IPSec VPN Logs screen see View the VPN Logs on page 283 System Logs and Error Messages 330 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 97 System logs IPSec VPN tunnel tunnel establishment Messages 1 through 5 Messages 6 and 7 Messages 8 through 19 Messages 20 and 21 Messages 22 and 23 Messages 24 and 25 2000 Jan 1 04 01 39 SRX5308 wand IPSEC IPSEC Restarted 2000 Jan 1 04 02 09 SRX5308 wand FW Firewall Restarted 2000 Jan 1 04 02 29 SRX5308 IKE IKE stopped_ 2000 Jan 1 04 02 31 SRX5308 IKE IKE started_ 2000 Jan 1 04 02 31 SRX5308 wand IPSEC IPSEC Restarted 2000 Jan 1 04 07 04 SRX5308 IKE Adding IPSec configuration with identifier pol es 2000 Jan 1 04 07 04 SRX5308 IKE Adding IKE configuration with identifier pol1 ae 20
119. 308 Click the Delete table button To add or edit an IKE policy see Manually Add or Edit an IKE Policy on this page Note You cannot delete or edit an IKE policy for which the VPN policy is active You first need to disable or delete the VPN policy before you can delete or edit the IKE policy Manually Add or Edit an IKE Policy To manually add an IKE policy 1 2 Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view see Figure 104 on page 160 Under the List of IKE Policies table click the Add table button The Add IKE Policy screen displays J Add IKE Policy ed Add New VPN Policy Operation succeeded Do you want to use Mode Config Record Policy Name ___ O Yes Direction Type No Exchange Mode Select Mode Config CE Record View Selected Select Local Gateway RR Identifier Type Remote Wan IP v Identifier Type Local Wan IP _ Identifier Identifier ii IKE SA Parameters 2 Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key O RSA Signature Pre shared key Key Length 8 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection Yes No Detection Period fio Seconds Reconnect after failure count 3 ii Extended Authentication PH XAUTH Configuration Authentication Type User Database None Username jadmin Edge Device Password eeeee
120. 32 25 SRX5308 IKE no phase 2 bounded _ Message 7 2000 Jan 1 04 32 25 SRX5308 IKE Sending Informational Exchange delete payload _ Messages 8 through 11 2000 Jan 1 04 32 25 SRX5308 IKE Purged ISAKMP SA with spi d67f2be9ca0cb241 8a094623c6811286 _ 2000 Jan 1 04 32 25 SRX5308 IKE an undead schedule has been deleted purge_remote _ 2000 Jan 1 04 32 25 SRX5308 IKE IKE configuration with identifier pol1 deleted successfully _ 2000 Jan 1 04 32 25 SRX5308 IKE Could not find configuration for 20 0 0 1 500 _ Explanation Message 1 Informational exchange for deleting the payload Message 2 6 Phase 2 configuration is purged and confirms that no phase 2 is bounded Message 7 Informational exchange for deleting the payload Message 8 11 Phase 1 configuration The VPN tunnel is reestablished Recommended Action None System Logs and Error Messages 332 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99 System logs IPSec VPN tunnel SA lifetime 150 sec in phase 1 300 sec in phase 2 VPN tunnel not reestablished Message 2000 Jan 1 04 52 33 SRX5308 IKE Using IPSec SA configuration 192 168 11 0 24 lt gt 192 168 10 0 24_ 2000 Jan 1 04 52 33 SRX5308 IKE Configuration found for 20 0 0 1 _ 2000 Jan 1 04 52 59 SRX5308 IKE Phase 1 negotiation failed due to time up for 20 0 0 1 500 b73efd188399b7f2 0000000000000000_ 2000 Jan 1 04 53 04 SRX5308 IKE Pha
121. 5308 Help Name Domain Action Customers Customers Edit LOAP _Users LDAP_Users Edit geardomain geardomain Edit ProductMarketing LDAP_Users Edit 7 Select All Delete Domain Idle Timeout o ooo ass The List of Groups table displays the VPN groups with the following fields e Check box Allows you to select the group in the table e Name The name of the group If the group name is appended by an asterisk the group was created by default when you created the domain with the identical name as the default group You cannot delete a default group you can only delete the domain with the identical name which causes the default group to be deleted e Domain The name of the domain to which the group is assigned e Action The Edit table button that provides access to the Edit Group screen 2 Inthe Add New Group section of the screen enter the settings as explained in the following table Table 57 Group screen settings Setting Description Name A descriptive alphanumeric name of the group for identification and management purposes Domain The drop down list shows the domains that are listed on the Domain screen From the drop down list select the domain with which the group is associated For information about how to configure domains see Configure Domains on page 219 Idle Timeout The period after which an idle user is automatically logged out of the VPN firewall s web
122. 5308 Network Configuration WAN Settings Protocol Binding Add Qos Dynamic DNS LAN Settings DMZ Setup Routing Operation succeeded QoS Type Interface Service Direction Diffserv QoS Match Congestion Priority Hosts Start IP End IP Select Group Bandwidth Allocation Rate Control 1 ANY v C Joscro es Single 1P Address w CHOCH Groupi Shared Figure 26 Min Bandwidth 0 J kbps Max Bandwidth Diffserv QoS Remark Enter the settings as explained in the following table Table 9 Add QoS screen settings for a rate control profile Setting Description QoS Type Rate Control for Priority see Figure 27 on page 50 and Table 10 on page 50 Interface From the drop down list select one of the WAN interfaces Service From the drop down list select a service or application to be covered by this profile If the service or application does not appear in the list you need to define it using the Services screen see Services Based Rules on page 83 Direction From the drop down list select the direction to which rate control is applied Outbound Traffic Rate control is applied to outbound traffic only Inbound Traffic Rate control is applied to inbound traffic only Diffserv QoS Match Enter a DSCP value in the range of 0 through 63 Packets are classified against this value Leave this field blank to disable packet matching Connecting the
123. 6 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pet Up IPMAC Bindings 14c asec0edhesobdededrs daiauvaries Contigure Port Triggering rr crrrerirnrisnes eaeeeugeseunaecs Configure Universal Plug and Play 0000e cece eaeee Chapter 5 Virtual Private Networking Using IPSec Connections Considerations for Multi WAN Port Systems 20005 Use the IPSec VPN Wizard for Client and Gateway Configurations Create Gateway to Gateway VPN Tunnels with the Wizard Create a Client to Gateway VPN Tunnel 0 20005 Test the Connection and View Connection and Status Information Test the NETGEAR VPN Client Connection NETGEAR VPN Client Status and Log Information View the VPN Firewall IPSec VPN Connection Status View the VPN Firewall IPSec VPN Logs 22 20 00005 Manage IPSec VPN Policies 00 c cece eee eee nes Caonigure IKE Policies csas lt csdetgadedsaa evade ryacax deine Comoqure VFN POICES su 2ccitdaswarecuianexakeapigeundeaes Configure Extended Authentication XAUTH 5 Configure XAUTH for VPN Clients 00 0 cee ee eee User Database Configuration 0 006 ccc eee eee RADIUS Client COnNGHTAUON oie cao eee ee ke ina Assign IP Addresses to Remote Users Mode Config Mode Config Operation seirce ces ce eee es Configure Mode Config Operation on the VPN Firewall
124. 6 22 Preshared Key Select the Preshared Key radio button Enter the pre shared key that you already specified on the VPN firewall For example enter H8 spsf3 JYK2 Confirm the key in the Confirm field IKE Encryption Select the 3DES encryption algorithm from the drop down list Authentication Select the SHA1 authentication algorithm from the drop down list Key Group Select the DH2 1024 key group from the drop down list Note On the VPN firewall this key group is referred to as Diffie Hellman Group 2 1024 bit 5 Click Apply to use the new settings immediately and click Save to keep the settings for future use 6 Click the Advanced tab in the Authentication pane The Advanced pane displays Netgear ProSafe VPN Client Professional a BR NETGEAR Built for Business E VPN Configuration Authentication Advanced Certificate E Gobal Parameters Advanced features F Mode Config Aggressive Mode X Auth Oo o X Auth Popup Login Hybrid Mode Password Local and Remote ID Type of ID Value for the ID Local ID DNS w chent com Remote ID DNS wi router com YPN Chert ready Figure 115 Virtual Private Networking Using IPSec Connections 186 7 8 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the settings that are explained in the following table Table 46 VPN client advanced authentication settings Mode Config Se
125. AC authentication Note The format for the MAC address is 01 23 45 67 89 AB numbers 0 9 and either uppercase or lowercase letters A F If you enter a MAC address the existing entry is overwritten Failure Detection Method See Configure the Failure Detection Method on page 35 including Table 6 on page 36 Connecting the VPN Firewall to the Internet 53 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 11 WAN Advanced Options screen settings continued Setting Description These settings rate limit the Upload Download Settings traffic that is being forwarded by the VPN firewall WAN Connection Type From the drop down list select the type of connection that the VPN firewall uses to connect to the Internet DSL ADLS Cable Modem T1 T3 or Other WAN Connection Speed Upload From the drop down list select the maximum upload speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select Custom and enter the speed in Kbps in the field below the drop down list WAN Connection Speed Download From the drop down list select the maximum download speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select Custom and enter the speed in Kbps in the field below the drop down list 5 Click Apply to save your changes A WARNING Depending on the changes that you made when you click Apply the
126. AN SSL VPN Firewall SRX5308 does not exceed the Class B limits for radio noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme a la norme NMB 003 du Canada European Union The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 complies with essential requirements of EU EMC Directive 2004 108 EC and Low Voltage Directive 2006 95 EC as supported by applying the following test methods and standards e EN55022 2006 A1 2007 e EN55024 1998 A1 2001 A2 2003 e EN60950 1 2005 2nd Edition e EN 61000 3 2 2006 e EN 61000 3 3 1995 w A1 2001 A2 2005 GPL License Agreement GPL may be included in this product to view the GPL license agreement go to ftp downloads netgear com files GPLnotice pdf For GNU General Public License GPL related information please visit htto support netgear com app answers detail a_id 2649 Notification of Compliance 346 Index Numerics 10BaseT 100BaseT and 1000BaseT 53 3322 0rg 42 45 A AAA authentication authorization and accounting 174 AC input 16 access remote management 250 account name PPTP and PPPoE 29 30 action buttons web management interface 23 active directory 220 222 active routes 77 Activex controls blocking 123 web cache cleaner SSL VPN 201 address res
127. AN port changes after a rollover use of fully qualified domain names always required Figure 186 Inbound Traffic Dual WAN Ports for Load Balancing In a dual WAN port load balancing configuration the Internet address of each WAN port is either fixed if the IP address is fixed or an FQDN if the IP address is dynamic see the following figure Network Planning for Multiple WAN Ports 312 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note Load balancing is implemented for outgoing traffic and not for incoming traffic Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic Dual WAN Ports Load Balancing Router Ponies be org IP addresses of WAN ports j axe use of fully qualified domain names IN required for dynamic IP addresses netgear2 dyndns org and optional for fixed IP addresses WAN2 IP Figure 187 Virtual Private Networks When implementing virtual private network VPN tunnels you need to use a mechanism for determining the IP addresses of the tunnel endpoints The addressing of the firewall s WAN ports in a dual WAN port auto rollover or load balancing configuration depends on the configuration being implemented Table 80 IP addressing requirements for VPNs in a dual WAN port configuration Configuration and WAN IP address Single WAN port Dual WAN port configu
128. Administrator Settings 248 Configure Remote Management Access 0 000000 250 Using the Command Line Interface 0 0 0 253 Use a Simple Network Management Protocol Manager 254 Manage the Configuration File naana anaa aaan 256 Configure Date and Time Service nnana aaaea 260 Chapter 9 Monitoring System Access and Performance Enable the WAN Traffic Meter 00000 e ee eee 263 Enable the LAN Traffic Meter 000 00 cee eee eee 266 Activate Notification of Events Alerts and Syslogs 269 View Status and Log Screens 00 c eee eee eee ee 274 View the System Router Status and Statistics 275 View the VLAN Sigs s ccacc csc cacen en tE ANENE E coer ear ue 280 View and Disconnect Active Users 0 00 cee eee eee 281 View the VPN Tunnel Connection Status 0 282 View tie VPW LOS sx cg eek seeks Ped so Seis a eses 283 View the Port Triggering Status 000000 c eee eee eee 285 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the WAN Port Connection Status 00000 ae 285 View the Attached Devices and DHCP Log 2 5 287 Use the Diagnostics Utiliies 0 00000 ees 289 Send a Ping Packet or Trace a Route 0 000 c eee eae 289 Look Up a DNS AddrasS cerai isee eed esudbew dst tt tebe ee we 290 Display the Routing Table icc cs
129. B Traffic MB State Action Both 50000 o Allowed Edit Select All Delete add Figure 161 The LAN Traffic Meter table show the following columns all of which are explained in detail in the following table LAN IP Address The LAN IP address that is subject to the traffic meter Direction The direction for which traffic is measured Limit MB The traffic limit in MB Traffic MB The traffic usage in MB State The state that indicates whether traffic to and from the IP address is allowed or blocked Action The Edit table button provides access to the Edit LAN Traffic Meter screen for the corresponding IP address To add a LAN IP address account to the traffic meter On the LAN Traffic Meter screen click the Add table button The Add LAN Traffic Meter screen displays 4 Network Configuration WAN Settings Protocol Binding DynamicDNS Add LAN Traffic Meter Account Operation succeeded Add LAN Traffic Meter Account Lan 1 address I _ _ Direction Both directions v Limit fo Jm Traffic Counter When Limit is reached Help Restart Traffic Counter Now Restart Traffic Counter at Specific Time Block CIL onthe day of Month O Send Email Alert and Block CO Send e mail report before restarting counter Figure 162 Monitoring System Access and Performance 267 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5 Enter the settings as ex
130. Change DNS to DynDNS org O Yes No WAN2 Dynamic DNS Status service is not enabled Configured DDNS Host and Domain SSs SSF none Name Example yourname dyndns org Lonene pssvord Use wildcards Update every 30 days Change DNS to DynDNS org Yes No i WAN3 Dynamic DNS Status service is not enabled Configured DDNS Host and Domain N none Name Example yourname dyndns org Username To password Tn Use wildcards Update every 30 days Change DNS to DynDNS org Yes No 4 WAN4 Dynamic DNS Status service is not enabled Configured DDNS Host and Domain none Name Change DNS to DynDNS org Example yourname dyndns org Yes Username J No Password 7 Use wildcards Update every 30 days Figure 23 3 Click the Information option arrow in the upper right of a DNS screen for registration information Connecting the VPN Firewall to the Internet 44 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration WAN Settings Protocol Binding LAN Settings DMZ Setup Routing QoS Dynamic DNS DNS TZO DNS Oray 3322 DDNS DynDNS Information Figure 24 4 Access the website of the DDNS service provider and register for an account for example for DynDNS org go to hitto www dyndns com 5 Configure the DDNS service settings as explained in the following table Table 8 DDNS service settings Setting Descrip
131. Configure the Internet Connection on page 28 e PPPoE Idle Timeout Logs Table 93 System logs WAN status PPPoE idle time out Message Nov 29 13 12 46 SRX5308 pppd Starting connection Nov 29 13 12 49 SRX5308 pppd Remote message Success Nov 29 13 12 49 SRX5308 pppd PAP authentication succeeded Nov 29 13 12 49 SRX5308 pppd local IP address 50 0 0 62 Nov 29 13 12 49 SRX5308 pppd remote IP address 50 0 0 1 Nov 29 13 12 49 SRX5308 pppd primary DNS address 202 153 32 3 Nov 29 13 12 49 SRX5308 pppd secondary DNS address 202 153 32 3 Nov 29 11 29 26 SRX5308 pppd Terminating connection due to lack of activity Nov 29 11 29 28 SRX5308 pppd Connect time 8 2 minutes Nov 29 11 29 28 SRX5308 pppd Sent 1408 bytes received 0 bytes Nov 29 11 29 29 SRX5308 pppd Connection terminated System Logs and Error Messages 328 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 93 System logs WAN status PPPoE idle time out continued Explanation Message 1 PPPoE connection started Message 2 Message from PPPoE server for correct login Message 3 Authentication for PPP succeeded Message 4 Local IP address assigned by the server Message 5 Server side IP address Message 6 The primary DNS server that is configured on the WAN ISP Settings screen Message 7 The secondary DNS server that is configured on the WAN ISP Settings screen Message 8 The PPP link has trans
132. Description Backup Server IP Address The IP address of the backup RADIUS server Secret Phrase A shared secret phrase to authenticate the transactions between the client and the backup RADIUS server The same secret phrase needs to be configured on both the client and the server Backup Server NAS The backup NAS identifier that needs to be present in a RADIUS request Identifier Note See the note earlier in this table for the Primary Server NAS Identifier Connection Configuration Time out period The period in seconds that the VPN firewall waits for a response from a RADIUS server Maximum Retry Counts The maximum number of times that the VPN firewall attempts to connect to a RADIUS server 3 Click Apply to save your settings Note You select the RADIUS authentication protocol PAP or CHAP on the Edit IKE Policy screen or Add IKE Policy screen see Configure XAUTH for VPN Clients on page 173 Assign IP Addresses to Remote Users Mode Config To simplify the process of connecting remote VPN clients to the VPN firewall use the Mode Config feature to assign IP addresses to remote users including a network access IP address subnet mask WINS server and DNS address from the VPN firewall Remote users are given IP addresses available in a secured network space so that remote users appear as seamless extensions of the network Mode Config Operation After the IKE Phase 1 negotiation is complete
133. E Deleting generated policy for 20 0 0 1 0 _ 2000 Jan 1 02 34 45 SRX5308 IKE an undead schedule has been deleted pk_recvupdate _ 2000 Jan 1 02 34 45 SRX5308 IKE Purged IPSec SA with proto_id ESP and spi 3000608295 0xb2d9a627 __ 2000 Jan 1 02 34 45 SRX5308 IKE Purged IPSec SA with proto_id ESP and spi 248146076 Oxeca689c __ 2000 Jan 1 02 34 45 SRX5308 IKE Purged ISAKMP SA with proto_id ISAKMP and spi da1f2efbf0635943 4eb6fae677b2e4f4 __ 2000 Jan 1 02 34 46 SRX5308 IKE ISAKMP SA deleted for 20 0 0 2 500 20 0 0 1 500 with spi da1f2etbf0635943 4eb6fae677b2e4f4_ Explanation Phase 2 and phase 1 policies are deleted when the client is disconnected Recommended Action None System Logs and Error Messages 334 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 103 System logs IPSec VPN tunnel client policy behind a NAT device Message 3 Message 6 2000 Jan 1 01 54 21 SRX5308 IKE Floating ports for NAT T with peer 20 0 0 1 4500 _ 2000 Jan 1 01 54 21 SRX5308 IKE NAT D payload matches for 20 0 0 2 4500 _ 2000 Jan 1 01 54 21 SRX5308 IKE NAT D payload does not match for 20 0 0 1 4500 _ 2000 Jan 1 01 54 21 SRX5308 IKE Ignore REPLAY STATUS notification from 20 0 0 1 4500 _ 2000 Jan 1 01 54 21 SRX5308 IKE Ignore INITIAL CONTACT notification from 20 0 0 1 4500 because it is only accepted after phase 1 _ 2000 Jan 1 01 54 21 SRX5308 IKE NAT detected Peer is
134. Filter screen enables you to permit or block traffic coming from certain known PCs or devices By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed When the source MAC address filter is enabled depending on the selected policy traffic is either permitted or blocked if it comes from any PCs or devices whose MAC addresses are listed in MAC Addresses table Firewall Protection 126 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note For additional ways of restricting outbound traffic see Outbound Rules Service Blocking on page 83 gt To enable MAC filtering and add MAC addresses to be permitted or blocked 1 Select Security gt Address Filter The Address Filter submenu tabs display with the Source MAC Filter screen in view The following figure shows one address in the MAC Addresses table as an example Security Port Triggering UPnP Bandwidth Profile Content Filtering ities IP MAC Binding Operation succeeded Do you want to enable Source MAC Address Filtering Yes O No Policy for MAC Addresses listed below MAC Addresses o a1 22 b2 33 c3 44 select all Delete MAC Address CT Add Source MAC Address Figure 69 2 Inthe MAC Filtering Enable section select the Yes radio button 3 In the same section below the radio buttons select one of the following options from the drop down list e Block Traffic coming
135. Help Get Automatically from ISP Use These ONS Servers Primary DNS Server fi72 re Jo fr2 Secondary DNS Server fizz fie Jo Jis Table 5 DNS server settings Setting Description Get Automatically from ISP If your ISP has not assigned any Domain Name Server DNS addresses select the Get Automatically from ISP radio button Use These DNS Servers If your ISP has assigned DNS addresses select the Use These DNS Servers radio button Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS Server The IP address of the secondary DNS server Connecting the VPN Firewall to the Internet 31 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 9 Click Test to evaluate your entries The VPN firewall attempts to make a connection according to the settings that you entered 10 Click Apply to save any changes to the WAN ISP settings Or click Reset to discard any changes and revert to the previous settings If you want to manually configure an additional WAN interface select another WAN interface and repeat these steps You can configure up to four WAN interfaces When you are finished click the Logout link at the upper right corner of the web management interface or proceed to additional setup and management tasks Configure the
136. INS server IP address to specify the Windows NetBIOS server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the VPN firewall as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the VPN firewall serves as a relay LAN Configuration 62 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12 Edit VLAN Profile screen settings continued Setting Description Enable LDAP Select the Enable LDAP information check box to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the following settings Note The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and VPN firewall authentication but not for web and email security LDAP Server The IP address or name of the LDAP server Search Base The search objects that specify the location in the directory tree from which the LDAP search begins You can specify multiple search objects separated by commas The search objects include cn for common name e ou for organizational unit e o for organization e c for country e dc for domain For example to search the Netgear net domain for all las
137. IP Address IP Address kzz Jo Ju Ess fss aa Gateway IP Address faz2 fae o MH254 Figure 15 Connecting the VPN Firewall to the Internet 30 8 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4 Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address select the Get Dynamically from from ISP ISP radio button The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol Client Identifier Select the Client Identifier check box if your ISP requires the Client Identifier information to assign an IP address using DHCP Vendor Class Select the Vendor Class Identifier check box if your ISP requires Identifier the Vendor Class Identifier information to assign an IP address using DHCP Use Static IP If your ISP has assigned you a fixed static or permanent IP address select the Use Address Static IP Address radio button and enter the following settings IP Address Static IP address assigned to you This address identifies the VPN firewall to your ISP Subnet Mask The subnet mask is usually provided by your ISP Gateway IP Address The IP address of the ISP s gateway is usually provided by your ISP In the Domain Name Server DNS Servers section of the screen specify the DNS settings as explained in the following table Figure 16
138. ISP Settings Secondary Addresses Default Custom Port Speed i500 Bytes Help Use Default Address Failure Detection Method Use this computer s MAC Address Use this MAC Address UP SES 00 AA 01 AB 02 AC Retry untervallls Failover after WAN Connection Type WAN Connection Speed Upload 1000000 Kbps WAN Connection Speed Download 1 Gbps v 1000000 kbps AutoSense WAN DNS v DNS Server o ioe o p Connecting the VPN Firewall to the Internet 52 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Enter the settings as explained in the following table Table 11 WAN Advanced Options screen settings Setting Description MTU Size Make one of the following selections Default Select the Default radio button for the normal maximum transmit unit MTU value For most Ethernet networks this value is 1500 Bytes or 1492 Bytes for PPPoE connections Custom Select the Custom radio button and enter an MTU value in the Bytes field For some ISPs you might need to reduce the MTU This is rarely required and should not be done unless you are sure it is necessary for your ISP connection Speed In most cases the VPN firewall can automatically determine the connection speed of the WAN port of the device modem or router that provides the WAN connection If you cannot establish an Internet connection you might need to manually select the port speed If
139. Internet Configuration Requirements Depending on how your ISP sets up your Internet accounts you will need the following Internet configuration information to connect VPN firewall to the Internet e Host and domain names e One or more ISP login names and passwords e ISP Domain Name Server DNS addresses e One or more fixed IP addresses also known as static IP addresses Where Do Get the Internet Configuration Information There are several ways you can gather the required Internet connection information Your ISPs provide all the information needed to connect to the Internet If you cannot locate this information you can ask your ISP to provide you with it or if you have a computer already connected using the active Internet access account you can gather the configuration information from that computer e For Windows 95 98 ME open the Network Control Panel select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page e For Windows 2000 XP Vista open the Local Area Network Connection select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page e For Macintosh computers open the TCP IP or Network Control Panel Record all the settings for each section After you have located your Internet configuration information you might want to record the information in the following section Network Planning for Multiple WAN Po
140. L VPN Firewall SRX5308 Configure WAN QoS Profiles The VPN firewall can support multiple quality of service QoS profiles for each WAN interface You can assign profiles to services such as HTTP FTP and DNS and to LAN groups or IP addresses Profiles enforce either rate control with bandwidth allocation or priority queue control You can configure both types of profiles but either all profiles on the VPN firewall enforce rate control and the profiles that you configured for priority queue control are inactive or the other way around Both types of profiles cannot be active simultaneously Rate control with bandwidth allocation These types of profiles specify how bandwidth is distributed among the services and hosts A profile with a high priority is offered excess bandwidth while the required bandwidth is still allocated to profiles that specify minimum and maximum bandwidth rates The congestion priority represents the classification level of the packets among the priority queues within the system If you select a default congestion priority traffic is mapped based on the Type of Service ToS field in the packet s IP header Priority queue control These types of profiles specify the priority levels of the services You can select a high priority queue or a low priority queue Services in the high priority queue share 60 percent of the interface bandwidth services in the low priority queue share 10 percent of the interface bandwidth By de
141. L VPN port forwarding 204 hosts exposed increasing traffic 247 exposed specifying 104 name resolution 204 public web server 101 HTTP meta tags 201 HTTPS management 252 ICMP time out 110 type 113 idle time out 234 250 IGMP Internet Group Management Protocol 108 IGP Interior Gateway Protocol 78 IKE Internet Key Exchange policies managing 159 165 ModeConfig configuration 179 inbound rules configuring 88 default 82 DMZ WAN 97 examples 101 increasing traffic 245 LAN DMZ 100 LAN WAN 94 order of precedence 90 overview 86 scheduling 121 settings 88 increasing traffic features 245 248 port forwarding and DoS attack 87 increasing WAN traffic limit 265 info messages syslog 273 Installation Guide 19 instant messaging blocking applications 105 interface specifications 304 Interior Gateway Protocol IGP 78 Internet blocking sites 123 configuration requirements 308 connection auto detecting 25 default settings 302 manually configuring 28 filtering content 123 form to save connection information 309 Internet Group Management Protocol IGMP 108 Internet Key Exchange See IKE policies Internet LED 16 Internet Service Provider See ISP inter routing VLANs 63 IP addresses 203 auto generated 295 default 61 DHCP address pool 62 74 DMZ port 73 DNS servers 31 62 74 dynamically assigned 31 gateway ISP 31 LAN multi home 65 MAC binding 128 port forwarding SSL VPN 203 reserved 72 secondary LAN 65 WAN 41 stat
142. LAN Status screen Select Monitoring gt Router Status gt VLAN Status The VLAN Status screen displays Profile Name VLAN ID defaultVian SalesVLAN Figure 168 Monitoring Active Users Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs Help MAC Address Subnet IP DHCP Status Port Membership 192 168 1 1 25 55 0 DHCP Enabled port 1 port 2 port 3 00 00 00 00 00 01 192 174 60 22 255 5 0 DHCP Disabled ports The following table explains the fields of the VLAN Status screen Table 71 VLAN Status screen information Item Description Profile Name The unique name for the VLAN that you have assigned on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 VLAN ID The identifier for the VLAN that you have assigned on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 MAC Address VLANs can have the same MAC address as the associated LAN port or can be assigned a unique MAC address depending on the selection that you have made on the LAN Advanced screen see Configure VLAN MAC Addresses and LAN Advanced Settings on page 64 If a VLAN is configured but disabled the MAC address displays as 00 00 00 00 00 00 Subnet IP The IP address and subnet mask that you have assigned on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 DHCP Status The DHCP status for the VLAN which can be either DHCP Enabled or DHCP Di
143. Logs Source MAC Filter Select this check box to log packets from MAC addresses that match the source MAC address filter settings see Enable Source MAC Filtering on page 126 Session Limit Select this check box to log packets that are dropped because the session limit has been exceeded see Set Session Limits on page 109 Bandwidth Limit Select this check box to log packets that are dropped because the bandwidth limit has been exceeded see Create Bandwidth Profiles on page 118 Monitoring System Access and Performance 271 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67 Firewall Logs amp E mail screen settings continued Setting Description Enable E Mail Logs Do you want logs to be emailed to you Select the Yes radio button to enable the VPN firewall to send logs to an email address Complete the fields that are shown on the right side of the screen see explanations later in this table Select the No radio button to disable the VPN firewall to send logs to an email address which is the default setting E Mail Server The IP address or Internet name of your ISP s outgoing email SMTP Address server Note If you leave this field blank the VPN firewall cannot send email logs and alerts Return E Mail A descriptive name of the sender for email identification purposes Address For example enter SRXAlerts company com Send to E Mail The email addre
144. Logs Bandwidth Limit Inbound Bandwidth Profile Message 2000 Jan 1 00 08 21 SRX5308 kernel BW_LIMIT_DROP IN LAN OUT WAN SRC 22 0 0 2 DST 192 168 100 2 PROTO ICMP TYPE 112 CODE 113 TC_INDEX 10 CLASSID 10 2 Explanation This log is generated when an inbound packet is dropped because the packet size exceeds the specified bandwidth limit Recommended Action Ensure that the packet size is within the specified bandwidth limit DHCP Logs This section explains the log messages that are generated when a host is assigned a dynamic IP address These messages are displayed on the DHCP Log screen see View the DHCP Log on page 288 Table 118 DHCP Logs Message 1 2000 Jan 1 07 27 28 SRX5308 dhcpd Listening on LPF eth0 1 00 11 22 78 89 90 192 168 11 24 Message 2 2000 Jan 1 07 27 37 SRX5308 dhcpd DHCPRELEASE of 192 168 10 2 from 00 0f 1f 8f 7c 4a via ethO 1 not found Message 3 2000 Jan 1 07 27 47 SRX5308 dhcpd DHCPDISCOVER from 00 0f 1f 8f 7c 4a via eth0 1 Message 4 2000 Jan 1 07 27 48 SRX5308 dhcpd DHCPOFFER on 192 168 11 2 to 00 0f 1f 8f 7c 4a via ethO 1 Message 5 2000 Jan 1 07 27 48 SRX5308 dhcpd Wrote 2 leases to leases file Message 6 2000 Jan 1 07 27 48 SRX5308 dhcpd DHCPREQUEST for 192 168 11 2 192 168 11 1 from 00 0f 1f 8f 7c 4a via ethO 1 Message 7 2000 Jan 1 07 27 48 SRX5308 dhcpd DHCPACK on 192 168 11 2 to 00 0f 1f 8f 7c 4a via ethO 1 System Logs and Erro
145. MZ WAN Outbound Service screen For more information about firewall rules see Use Rules to Block or Allow Specific Kinds of Traffic on page 82 Note It is important that you ensure that any secondary WAN addresses are different from the primary WAN LAN and DMZ IP addresses that are already configured on the VPN firewall However primary and secondary WAN addresses can be in the same subnet The following is an example of correctly configured IP addresses Primary WAN1 IP address 10 0 0 1 with subnet 255 0 0 0 Secondary WAN1 IP 30 0 0 1 with subnet 255 0 0 0 Primary WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 Secondary WAN2 IP 40 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP 192 168 20 1 with subnet 255 255 255 0 gt To adda secondary WAN address to a WAN port 1 Select Network Configuration gt WAN Settings The WAN screen displays see Figure 10 on page 25 2 Click the Edit table button in the Action column of the WAN interface for which you want to add a secondary address The WAN ISP Settings screen displays see Figure 17 on page 26 which shows the WAN1 ISP Settings screen as an example Connecting the VPN Firewall to the Internet 41 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Click the Secondary Addresses option arrow in the upper right of the screen The WAN Secondary Addresses sc
146. NETGEAR ProSate Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2010 2011 NETGEAR Inc All rights reserved No part of this publication may be reproduced transmitted transcribed stored in a retrieval system or translated into any language in any form or by any means without the written permission of NETGEAR Inc Technical Support Thank you for choosing NETGEAR To register your product get the latest product updates get support online or for more information about the topics covered in this manual visit the Support website at http support netgear com Phone US amp Canada only 1 888 NETGEAR Phone Other Countries Check the list of phone numbers at http support netgear com app answers detail a_iq 984 Trademarks NETGEAR the NETGEAR logo and Connect with Innovation are trademarks and or registered trademarks of NETGEAR Inc and or its subsidiaries in the United States and or other countries Information is subject to change without notice Other brand and product names are registered trademarks or trademarks of their respective holders 2011 NETGEAR Inc All rights reserved Statement of Conditions To improve internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or
147. NS Lookup screen To return to the Diagnostics screen click Back on the browser menu bar Display the Routing Table Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems To display the routing table In the Router Options section on the Diagnostics screen next to Display the Routing Table click the Display button The routing table is displayed in the Route Display screen that Monitoring System Access and Performance 290 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appears as a popup window The IP addresses that are shown in the following figure do not relate to other figures and examples in this manual Route Display Interface Name Destination Mask Gateway WANI 99 180 226 96 255 255 255 248 0 0 0 0 DMZ 200 1 1 0 25 s 0 0 0 0 defaultVian 192 168 1 0 2 255 0 0 0 0 WANI 123 1 1 0 2 255 255 99 180 226 99 Sales VLAN 192 174 60 0 0 0 0 0 WANL default 0 0 0 0 99 180 226 102 Figure 179 Reboot the VPN Firewall You can perform a remote reboot restart for example when the VPN firewall seems to have become unstable or is not operating normally Note Rebooting breaks any existing connections either to the VPN firewall such as your management session or through the VPN firewall for example LAN users accessing the Internet However when the reboot process is complete connections to the Internet are automatically reestablished if possible
148. Network Configuration l l i i l WAN Settings Protocol Binding Dynamic DNS DM Setup Routing QoS DHCP Log LAN Setup 9 SRX5308 dhcpd Wrote 0 deleted host decis to leases file A 9 SRX5308 dhcpd Wrote 0 new dynamic host deglis to leases f 9 SRX5308 dhcpd Wrote 14 leases to leases file 9 SRX5308 dhepd Listening on LPF eth0 4094 00 00 00 00 00 9 SRX5308 dhepd No subnet declaration for etho 2 192 174 6 9 SRX5308 dhcepd Ignoring requests on eth0 2 If this is ne 9 SRX5308 dhcpd you want please write a subnet declaration 9 SRX5308 dhepd in your dhepd conf file for the network segn 9 SRX5308 dhepd to which interface eth0 2 is attached lt e 9 SRX5308 dhcpd Sending on LPF etho 1 00 00 00 00 00 01 9 SRX5308 dhcpd No subnet declaration for eth0 4093 99 181 9 SRX5308 dhcpd Ignoring requests on eth0 4093 If this i 9 SRX5308 dhcpd you want please write a subnet declaration gt Refresh Log Clear Log Figure 177 To view the most recent entries click the Refresh Log bution To delete all the existing log entries click the Clear Log button Monitoring System Access and Performance 288 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections e Send a Ping Packet or Trace a Route e Look Up a DNS Address e Display t
149. None Reboot This section describes log messages generated during system reboot Table 85 System logs reboot Message Nov 25 19 42 57 SRX5308 reboot Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management interface Recommended Action None System Logs and Error Messages 324 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Firewall Restart This section describes logs that are generated when the VPN firewall restarts Table 86 System logs VPN firewall restart Message Jan 23 16 20 44 SRX5308 wand FW Firewall Restarted Explanation Log generated when the VPN firewall is restarted This message is logged when the VPN firewall restarts after any changes in the configuration are applied Recommended Action None IPSec Restart This section describes logs that are generated when IPSec restarts Table 87 System logs IPSec restart Message Jan 23 16 20 44 SRX5308 wand IPSEC IPSEC Restarted Explanation Log generated when the IPSec is restarted This message is logged when IPSec restarts after any changes in the configuration are applied Recommended Action None Unicast Multicast and Broadcast Logs Table 88 System logs unicast Message Nov 24 11 52 55 SRX5308 kernel UCAST IN SELF OUT WAN SRC 192 168 10 1 DST 192 168 10 10 PROTO UDP SPT 800 DPT 2049 Expla
150. OD PRA Rh Rao 211 FO PONE 5334 eierieseaagEeinteiapeeeirareaweeutattas 212 Access the SSL Portal Login Screen 20000 0c eee eee 216 View the SSL VPN Connection Status and SSL VPN Logs 218 Chapter 7 Managing Users Authentication and Certificates Configure VPN Authentication Domains Groups and Users 219 Conliaure DOMAINE 222406 or cerca rato rar A Aar rece daares x 219 Configure Groups for VPN Policies 0 0000 eens 224 Configure User AccountS 0 00000 cece eee eee 227 Set User Login Policies 0 0 teens 229 Change Passwords and Other User Settings 233 Manage Digital Certificates 0 0 0 0 cece eee 234 CCAS Serel sre atone adda beter 28a REEEREL EON REGER ESS 235 Manage CA Certificates eke ees eh eee ee eae eeu eee ees 236 Manage Self Signed Certificates 0 0 0 cc ene 237 Manage the Certificate Revocation List 000000 241 Chapter 8 Network and System Management Performance Management 000 cece eee eee ees 242 Bandh Capa oaa aca Sasa ara A lag estas cae Heber tebe sa ea 242 Features That Reduce Traffic 2 cee eee 243 Features That Increase Traffic 2 00 eee 245 Use QoS and Bandwidth Assignment to Shift the Traffic Mix 247 Monitoring Tools for Traffic Management 005 248 System Management c 2 2600s cee ed cece cneda dedia eee iaai 248 Change Passwords and
151. P Groups screen gt To delete an IP group 1 In the Custom IP Groups table select the check box to the left of the IP group that you want to delete or click the Select All table button to select all groups 2 Click the Delete table button Firewall Protection 115 gt ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service QoS Profiles A Quality of Service QoS profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router After you have created a QoS profile you can assign the QoS profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen see Figure 43 on page 93 e Add LAN WAN Inbound Services screen see Figure 44 on page 94 e Add DMZ WAN Outbound Services screen see Figure 46 on page 96 e Add DMZ WAN Inbound Services screen see Figure 47 on page 97 Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 There is no default QoS profile on the VPN firewall Following are examples of QoS profiles that you could create e Normal service profile Used when no special priority is given to the traffic You would typically mark the IP packets for services
152. P log see View the DHCP Log on page 288 gt To edit a VLAN profile 1 On the LAN Setup screen see Figure 30 on page 59 click the Edit button in the Action column for the VLAN profile that you want to modify The Edit VLAN Profile screen displays This screen is identical to the Add VLAN Profile screen see the previous screen 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To enable disable or delete one or more VLAN profiles 1 On the LAN Setup screen see Figure 30 on page 59 select the check box to the left of the VLAN profile that you want to delete or click the Select All table button to select all profiles You cannot select the default VLAN profile 2 Click one of the following table buttons e Enable Enables the VLAN or VLANs The status icon changes from a gray circle to a green circle indicating that the selected VLAN or VLANs are enabled By default when a VLAN is added to the table it is automatically enabled e Disable Disables the VLAN or VLANs The status icon changes from a green circle to a gray circle indicating that the selected VLAN or VLANs are disabled Delete Deletes the VLAN or VLANs Configure VLAN MAC Addresses and LAN Advanced Settings By default all configured VLAN profiles share the same single MAC address as the LAN ports All LAN ports share the same MAC address However you can change the VLAN MAC sett
153. P servers 1 Select Administration gt Time Zone The Time Zone screen displays Administration Remote Management SNMP Settings Backup amp Upgrade Time Zone Date Time GMT 08 00 Pacific Time US C Automatically Adjust for Daylight Savings Time Select NTP Mode Authoritative Mode v Select Stratum C Set date and time manually 0 0 0 pay 0 month 6 Year 0 Select VPN Policy None Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address time 1 company com Server 2 Name IP Address time 2 company com Current Time Wed Jul 20 15 24 51 GMT 0800 2011 Figure 158 Network and System Management 260 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The bottom of the screen displays the current weekday date time time zone and year in the example in the previous figure Current Time Wed Jul 2015 24 51 GMT 0800 2011 Enter the settings as explained in the following table Table 64 Time Zone screen settings Setting Description Date Time From the drop down list select the local time zone in which the VPN firewall operates The correct time zone is required in order for scheduling to work correctly The VPN firewall includes a real time clock RTC which it uses for scheduling Automatically Adjust for Daylight Savings Time If daylight savings time is supported in your region select the Automatically Adjust for Daylight Savings Time c
154. PC connected to that modem If this is the case you need to configure your VPN firewall to clone or spoof the MAC address from the authorized PC You can do this in the Router s MAC Address section of the WAN Advanced Options screen for the WAN interface that you are troubleshooting see Configure Advanced WAN Options on page 51 Restore the Default Configuration and Password To reset the VPN firewall to the original factory default settings you can use one of the following two methods Push the reset button on the rear panel of the VPN firewall see Rear Panel on page 16 and hold the reset button for about 8 seconds until the Test LED turns on and begins to blink about 30 seconds To restore the factory default configuration settings when you do not know the administration password or IP address you need to use the reset button method On the Settings Backup and Firmware Upgrade screen next to Revert to factory default settings click the Default button a To display the Settings Backup and Firmware Upgrade screen select Administration gt Settings Backup and Firmware Upgrade see the following figure b Click the Default button Troubleshooting and Using Online Support 299 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Administration Remote Management SNMP Settings Backup and Firmware Upgrade delp Save a copy of current settings GP Back Up Restore saved settings from file Restore Revert
155. PN firewall s enclosure displays factory default settings regulatory compliance and other information NETGEAR Prosafe Gigabit Quad WAN SSL VPN Firewal SRX5308 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation DEFAULT ACCESS fio c US LISTED C2 N10947 IT E E212778 WOR SFH4 8 https 192 168 1 1 21067 user name admin C Win FCC Stondords password password FOR HOME OR OFFICE USE Input Rating AC 100 240V 50 60Hz 0 6 Amp max B ooo MAC 4 272 10826 01 Figure 3 Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be free standing on its runner feet or mounted into a standard 19 inch equipment rack Alternatively you can rack mount the VPN firewall in a wiring closet or equipment room A rack mounting kit containing two mounting brackets and four screws is provided in the package Consider the following when deciding where to position the VPN firewall e The unit is accessible and cables can be connected easily e Cabling is away from sources of electrical noise These include lift shafts microwave ovens and air conditioning units e Water or moisture cannot enter the case of the unit Airflow a
156. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can obtain a digital certificate from a well known commercial certification authority CA such as Verisign or Thawte or you can generate and sign your own digital certificate Because a commercial CA takes steps to verify the identity of an applicant a digital certificate from a commercial CA provides a strong assurance of the server s identity A self signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server The VPN firewall contains a self signed certificate from NETGEAR This certificate can be downloaded from the VPN firewall login screen for browser import However NETGEAR recommends that you replace this digital certificate with a digital certificate from a well known commercial CA prior to deploying the VPN firewall in your network Certificates Screen To display the Certificates screen select VPN gt Certificates Because of the large size of this screen and because of the way the information is presented the Certificates screen is divided and presented in this manual in three figures Figure 146 on page 236 Figure 148 on page 238 and Figure 150 on page 241 The Certificates screen lets you to view the currently loaded digital certificates upload a new digital certificate and generate a certificate signing request CSR The VPN firewall typically holds two types of digital certificates CA digita
157. RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power adapter Universal input 100 240V AC 50 60 Hz 1 2 Amp maximum Physical specifications Dimensions W x H x D cm 33 x 4 3 x 20 9 inches 13 x 1 7 x 8 2 Weight kg 2 1 Ib 4 6 Default Settings and Technical Specifications 303 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 76 VPN firewall physical and technical specifications continued Feature Specification Environmental specifications Operating temperatures C 0 to 45 F 32 to 113 Storage temperatures C 20 to 70 F 4 to 158 Operating humidity 90 maximum relative humidity noncondensing Storage humidity 95 maximum relative humidity noncondensing Major regulatory compliance Meets requirements of FCC Class A CE WEEE RoHS Interface specifications 4 LAN one of which is a configurable DMZ interface AutoSense 10 100 1000BASE T RJ 45 4 WAN AutoSense 10 100 1000BASE T RJ 45 1 administrative console port RS 232 The following table shows the IPSec VPN specifications for the VPN firewall Table 77 VPN firewall IPSec VPN specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurrent users supported 125 IPSec encryption algorithm
158. S Microsoft Internet Authentication Service 220 222 ModeConfig operation configuring 176 183 MTU maximum transmission unit 53 multicast pass through 108 multi home LAN IP addresses 65 multiple WAN ports auto rollover and load balancing 310 314 FQDNs 43 134 135 306 313 network planning 306 overview 10 N NAS Network Access Server 175 NAT Network Address Translation description 12 filtering for tunnels 108 firewall use with 81 mapping one to one 33 102 mode configuring 33 status viewing 278 NetBIOS VPN tunnels 169 194 Network Access Server NAS 175 Network Address Translation See NAT network configuration requirements 308 network database advantages 67 Known PCs and Devices table 69 70 287 managing 67 71 network planning for multiple WAN ports 306 network resources and objects SSL VPN 208 210 Network Time Protocol NTP modes and servers 261 troubleshooting 300 newsgroups blocking 124 notice messages syslog 273 NT Domain 220 222 NTP Network Time Protocol modes and servers 261 troubleshooting 300 O objects SSL VPN 210 one time passcode OTP 341 342 online documentation 301 online games DMZ port 72 option arrow web management interface 23 Oray net 42 45 order of precedence firewall rules 90 other event log messages 338 OTP one time passcode 341 342 outbound rules configuring 84 default 82 DMZ WAN 96 examples 105 LAN DMZ 99 LAN WAN 93 order of preceden
159. SL VPN Firewall SRX5308 gt To configure the VPN firewall for remote management 1 Select Administration gt Remote Management The Remote Management screen displays Allow Secure HTTP Management Everyone Be sure to change default password Yes O No IP address range Only this PC oo fo jo Port Number IP Address to connect to this device i Be sure to type https not http Telnet Management Status Service is Disabled Allow Telnet Management Everyone Be sure to change default password O Yes No IP address range fo jo jo Only this PC fo jo jo lo Figure 153 Network and System Management 251 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Enter the settings as explained in the following table Table 62 Remote Management screen settings Setting Description Secure HTTP Management Allow Secure HTTP Management Note The IP address and port number to connect to the VPN firewall are shown in this section of the screen Select the Yes radio button to enable HTTPS remote management which is the default setting and specify the IP address settings and port number settings Select the No radio button to disable HTTPS remote management Select one of the following IP address settings e Everyone Allow access from any IP address on the Internet e IP address range Allow access from a range of IP addresses on
160. SL VPN default portal layout 2 Click the Delete table button Configure Domains Groups and Users Remote users connecting to the VPN firewall through an SSL VPN portal need to be authenticated before they are being granted access to the network The login window that is presented to the user requires three items a user name a password and a domain selection The domain determines both the authentication method and the portal layout that are used You need to create name and password accounts for the SSL VPN users When you create a user account you need to specify a group Groups are used to simplify the application of access policies When you create a group you need to specify a domain Therefore you should create any domains first then groups and then user accounts To configure domains groups and users see Configure VPN Authentication Domains Groups and Users on page 219 Configure Applications for Port Forwarding Port forwarding provides access to specific defined network services To define these services you need to specify the internal server addresses and port numbers for TCP applications that are intercepted by the port forwarding client on the user s PC This client reroutes the traffic to the VPN firewall Add Servers and Port Numbers To configure port forwarding you need to define the IP addresses of the internal servers and the port number for TCP applications that are available to remote users gt
161. Selected button to open the Selected Mode Config Record Details popup window General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type From the drop down list select the connection method for the VPN firewall e Initiator The VPN firewall initiates the connection to the remote endpoint e Responder The VPN firewall responds only to an IKE request from the remote endpoint Both The VPN firewall can both initiate a connection to the remote endpoint and respond to an IKE request from the remote endpoint Exchange Mode From the drop down list select the exchange mode between the VPN firewall and the remote VPN endpoint e Main This mode is slower than the Aggressive mode but more secure Aggressive This mode is faster than the Main mode but less secure Note If you specify either an FQDN or a User FQDN name as the local ID or remote ID see the Local and Remote sections on the screen the Aggressive mode is automatically selected Virtual Private Networking Using IPSec Connections 162 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38 Add IKE Policy screen settings continued Setting Description Local Select Local Gateway From the drop down list select one of the four WAN interfaces to function as the local gateway Identifier
162. Server a a a d eee _ WINS Server CICI IL Lease Time Hours DHCP Relay Relay Gateway a DNS Proxy Enable DNS Proxy J Figure 37 2 Enter the settings as explained in the following table Table 14 DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons enable DMZ Port Yes Enables you to configure the DMZ port settings Fill in the IP Address and Subnet Mask fields e No Allows you to disable the DMZ port after you have configured it IP Address Enter the IP address of the DMZ port Make sure that the DMZ port IP address and LAN port IP address are in different subnets for example an address outside the LAN address pool such as 192 168 1 101 Subnet Mask Enter the IP subnet mask of the DMZ port The subnet mask specifies the network number portion of an IP address LAN Configuration 73 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14 DMZ Setup screen settings continued Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewal
163. Simplify Policies Network resources are groups of IP addresses IP address ranges and services By defining resource objects you can more quickly create and configure network policies You do not need to redefine the same set of IP addresses or address ranges when you configure the same access policies for multiple users Defining network resources is optional smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources But for most organizations NETGEAR recommends that you use network resources If your server or network configuration changes you can perform an update quickly by using network resources instead of individually updating all of the user and group policies Add New Network Resources gt To define a network resource 1 Select VPN gt SSL VPN gt Resources The Resources screen displays The following figure shows some resources in the List of Resources table as an example IPSec VPN Certificates Connection Status Policies UQiiiatg Portal Layouts SSL YPN Client Port Forwarding Resource Name Service FTPServer Port Forwarding TestResource VPN Tunnel select all Delete Add New Resource Resource Name Service VPN Tunnel Tunnel v Figure 128 2 In the Add New Resource section of the screen specify information in the following fields e Resource Name A descriptive name of the resource for identifica
164. The IP address of the DNS server IP Address The IP address of the ping server Retry Interval is The retry interval in seconds The DNS query or ping is sent periodically after every test period The default test period is 30 seconds Failover after The number of failover attempts The primary WAN interface is considered down after the specified number of queries have failed to elicit a reply The backup interface is brought up after this situation has occurred The failover default is 4 failures Note The default time to roll over after the primary WAN interface fails is 2 minutes The minimum test period is 30 seconds and the minimum number of tests is 4 5 Click Apply to save your settings You can configure the VPN firewall to generate a WAN status log and email this log to a specified address see Activate Notification of Events Alerts and Syslogs on page 269 Configure Load Balancing and Optional Protocol Binding To use multiple ISP links simultaneously configure load balancing In load balancing mode any WAN port carries any outbound protocol unless protocol binding is configured When a protocol is bound to a particular WAN port all outgoing traffic of that protocol is directed to the bound WAN port For example if the HTTPS protocol is bound to the WAN1 port and the FTP protocol is bound to the WAN2 port then the VPN firewall automatically Connecting the VPN Firewall to the Internet 36 ProSafe Gig
165. To add a secondary LAN IP address to the default VLAN 1 Select Network Configuration gt LAN Settings gt LAN Multi homing The LAN Multi homing screen displays Network Configuration I WAN Settings Protocol Binding Dynamic DNS LAN Setup LAN Groups EY DET LT IP Address Subnet Mask eg Select All Delete Add Secondary LAN IP Address IP Address Subnet Mask Figure 33 The Available Secondary LAN IPs table displays the secondary LAN IP addresses that were added to the VPN firewall 2 In the Add Secondary LAN IP Address section of the screen enter the following settings e IP Address Enter the secondary address that you want to assign to the LAN ports e Subnet Mask Enter the subnet mask for the secondary IP address 3 Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table Repeat step 2 and step 3 for each secondary IP address that you want to add to the Available Secondary LAN IPs table Note Secondary IP addresses cannot be configured on the DHCP server The hosts on the secondary subnets needs to be manually configured with the IP addresses gateway IP address and DNS server IP addresses LAN Configuration 66 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To edit a secondary LAN IP address 1 On the LAN Multi homing screen see the previous screen click the Edit button in the Action column for the secondary IP
166. To set up aclient to gateway VPN tunnel using the VPN Wizard 1 Select VPN gt IPSec VPN gt VPN Wizard The VPN Wizard screen displays The following figure contains some entries as an example a Oven Wizard default values ii About YPN Wizard E The Wizard sets most parameters to defaults as proposed by the VPN Consortium YPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This VPN tunnel will connect to the following peers O Gateway VPN Client i Connection Name and Remote IP Type What is the new Connection Name Client to MainOffice What is the pre shared key I7 KL39dFG_8 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface Enable Rollover V WAN2 v i End Point Information G What is the Remote Identifier Information What is the Looal Identifier Informetion i Secure Connection Remote Accessibility G What is the remote LAN IP Address 4114 What is the remote LAN Subnet Mask EH EH Figure 82 To display the wizard default settings click the VPN Wizard Default Values option arrow in the upper right of the screen A popup window appears see Figure 78 on page 138 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set u
167. Type From the drop down list select one of the following ISAKMP identifiers to be used by the VPN firewall and then specify the identifier in the field below e Local WAN IP The WAN IP address of the VPN firewall When you select this option the Identifier field masks out e FQDN The Internet address for the VPN firewall e User FQDN The email address for a local VPN client or the VPN firewall e DER ASN1 DN A distinguished name DN that identifies the VPN firewall in the DER encoding and ASN 1 format Identifier Depending on the selection in the Identifier Type drop down list enter the IP address email address FQDN or distinguished name Remote Identifier Type From the drop down list select one of the following ISAKMP identifiers to be used by the remote endpoint and then specify the identifier in the field below e Remote WAN IP The WAN IP address of the remote endpoint When you select this option the Identifier field masks out FQDN The FQDN for a remote gateway e User FQDN The email address for a remote VPN client or gateway e DER ASN1 DN A distinguished name DN that identifies the remote endpoint in the DER encoding and ASN 1 format Identifier Depending on the selection of the Identifier Type drop down list enter the IP address email address FQDN or distinguished name IKE SA Parameters Encryption Algorithm From the drop down list select one of the following fi
168. VPN firewall as described in the previous section LAN or WAN Port LEDs Not On Make sure your PC s IP address is on the same subnet as the VPN firewall If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 1 2 to 192 168 1 254 Note If your PC s IP address is shown as 169 254 x x Windows and Mac operating systems generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the VPN firewall and reboot your PC If your VPN firewall s IP address has been changed and you do not know the current IP address reset the VPN firewall s configuration to factory defaults This sets the VPN firewall s IP address to 192 168 1 1 This procedure is explained in Restore the Default Configuration and Password on page 299 Tip If you do not want to revert to the factory default settings and lose your configuration settings you can reboot the VPN firewall and use a sniffer to capture packets sent during the reboot Look at the ARP packets to locate the VPN firewall s LAN interface address Make sure that you are using the SSL https address login rather than the http address login Troubleshooting and Using Online Support 295 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Make sure that your browser has Java JavaScript or Ac
169. VPN firewall might restart or services such as HTTP and SMTP might restart If you want to configure the advanced settings for an additional WAN interface select another WAN interface and repeat these steps Additional WAN Related Configuration Tasks e Ifyou want the ability to manage the VPN firewall remotely enable remote management see Configure Remote Management Access on page 250 If you enable remote management NETGEAR strongly recommend that you change your password see Change Passwords and Administrator Settings on page 248 e You can set up the traffic meter for each WAN if desired See Enable the WAN Traffic Meter on page 263 What to Do Next The following sections describe important tasks that you might want to address before you deploy the VPN firewall in your network e Configure VPN Authentication Domains Groups and Users on page 219 e Manage Digital Certificates on page 234 e Use the IPSec VPN Wizard for Client and Gateway Configurations on page 136 e Overview of the SSL Configuration Process on page 197 Connecting the VPN Firewall to the Internet 54 LAN Configuration This chapter describes how to configure the advanced LAN features of your VPN firewall This chapter contains the following sections Manage Virtual LANs and DHCP Options e Configure Multi Home LAN IP Addresses on the Default VLAN e Manage Groups and Hosts LAN Groups e Configure and Enable the DMZ Port Manage R
170. WAN Mode The VPN firewall can be configured on a mutually exclusive basis for either auto rollover for increased system reliability or load balancing for maximum bandwidth efficiency If you do not select load balancing you need to specify one WAN interface as the primary interface e Load balancing mode The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional You can configure up to four WAN interfaces The VPN firewall supports weighted load balancing and round robin load balancing see Configure Load Balancing and Optional Protocol Binding on page 36 Note Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications If certain traffic needs to travel ona specific WAN interface configure protocol binding rules for that WAN interface The rule should match the desired traffic e Primary WAN mode The selected WAN interface is made the primary interface The other three interfaces are disabled e Auto rollover mode The selected WAN interface is defined as the primary link and another interface needs to be defined as the rollover link The remaining two interfaces are disabled As long as the primary link is up all traffic is sent over the primary link When the primary link goes down the rollover link is brought up to send the traffic When the primary link comes back up traffic automatically rolls back to the original primary link If you want to
171. a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP Network Time Protocol 123 Citrix 1494 Virtual Private Networking Using SSL Connections ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 51 Port forwarding applications TCP port numbers continued TCP application Port number Terminal Services 3389 VNC virtual network computing 5900 or 5800 a Users can specify the port number together with the host name or IP address 3 Click the Add table button The new application entry is added to the List of Configured Applications for Port Forwarding table Remote users can now securely access network applications once they have logged in to the SSL VPN portal and launched port forwarding gt To delete an application from the List of Configured Applications for Port Forwarding table Select the check box to the left of the application that you want to delete and then click the Delete table button in the Action column Add a New Host Name After you have configured port forwarding by defining the IP addresses of the internal servers and the port number for TCP applications that are available to remote users you then can also specify host name to IP address resolution for the network servers as a convenience for users Host name resolution allows users to access TCP applications at familiar addresses such as mail example com or ftp customer com rather than by IP addresses
172. a policy that is configured for a range of addresses And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses If two or more IP address ranges are configured then the smallest address range takes precedence Host names are treated the same as individual IP addresses Virtual Private Networking Using SSL Connections 210 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network resources are prioritized just like other address ranges However the prioritization is based on the individual address or address range not the entire network resource For example assume the following global policy configuration e Policy 1 A Deny rule has been configured to block all services to the IP address range 10 0 0 0 10 0 0 255 e Policy 2 A Deny rule has been configured to block FTP access to 10 0 1 2 10 0 1 10 e Policy 3 A Permit rule has been configured to allow FTP access to the predefined network resource with the name FTP Servers The FTP Servers network resource includes the following addresses 10 0 0 5 10 0 0 20 and the FQDN ftp company com which resolves to 10 0 1 3 Assuming that no conflicting user or group policies have been configured if a user would attempt to access e anFTP server at 10 0 0 1 the user would be blocked by Policy 1 e anFTP server at 10 0 1 5 the user would be blocked by Policy 2 e anFTP server at 10 0 0 10 the user would be granted
173. abit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings Phase 1 Settings gt To create new authentication settings 1 Right click the VPN client icon in your Windows system tray and select Configuration Panel The Configuration Panel screen displays Netgear ProSafe VPN Client Professional Built for Business VPN Configuration E Goba Parameters VPN Configuration Written by VpnConf 3 00 Last modification 06 22 2011 Figure 90 2 In the tree list pane of the Configuration Panel screen right click VPN Configuration and select New Phase 1 E Gh Export 3 G Meson Fiquration Move to USB l Save Ctrl 5 Wizard Reload Test Config Reset Del New Phase 1 Ctrl N Figure 91 3 Change the name of the authentication phase the default is Gateway a b c d Right click the authentication phase name Select Rename Type vpn_client Click anywhere in the tree list pane Virtual Private Networking Using IPSec Connections 149 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note This is the name for the authentication phase that is used only for the VPN client not during IKE negotiation You can view and change this name in the tree list pane This name needs to be a unique name The Authentication pane displays in the Configuration Panel screen with the Authentication tab selected by default Netgear ProSafe VPN Client Professional laj NETGEAR
174. abit Quad WAN SSL VPN Firewall SRX5308 routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port All outbound FTP traffic is routed through the WAN2 port Protocol binding addresses two issues e Segregation of traffic between links that are not of the same speed High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link e Continuity of source IP address for secure connections Some services particularly HTTPS cease to respond when a client s source IP address changes shortly after a session has been established Configure Load Balancing gt To configure load balancing 1 Select Network Configuration gt WAN Settings gt WAN Mode The WAN Mode screen displays Network Configuration Protocol Binding Dynamic DNS LAN Settings DMZ Setup Routing QoS WAN BOAR TS Use NAT or Classical Routing between WAN amp LAN interfaces NAT Classical Routing Load Balancing Mode Weighted LB O Primary WAN Mode WANL Auto Rollover Secondary WAN2 Figure 19 2 Inthe Load Balancing Settings section of the screen configure the following settings a Select the Load Balancing Mode radio button b From the corresponding drop down list on the right select one of the following load balancing methods e Weighted LB With weighted load balancing balance weights are
175. able e Domain Name The name of the domain The default domain name geardomain is appended by an asterisk Authentication Type The authentication method that is assigned to the domain e Portal Layout Name The SSL portal layout that is assigned to the domain e Action The Edit table button that provides access to the Edit Domain screen Under the List of Domains table click the Add table button The Add Domain screen displays Add Domain Operation succeeded Add Domain Help Domain Name _______ Authentication Type Radius MSCHAPv2 x Select Portal SSL VPN v Authentication Server Authentication Secret Workgroup F LDAP Base DN Active Directory Domain Figure 137 Managing Users Authentication and Certificates 221 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Enter the settings as explained in the following table Table 56 Add Domain screen settings Setting Description Domain Name A descriptive alphanumeric name of the domain for identification and management purposes Authentication Type Note If you select any type of RADIUS authentication make sure that one or more RADIUS servers are configured see RADIUS Client Configuration on page 174 From the drop down list select the authentication method that the VPN firewall applies to the domain The screen adjusts to display the fields that require configuration e Local User Databa
176. able to determine the device name if the software firewall of the device blocks the name e Manual entry You can manually enter information about a network device Some advantages of the network database are e Generally you do not need to enter either IP address or MAC addresses Instead you can just select the name of the desired PC or device LAN Configuration 67 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 There is no need to reserve an IP address for a PC in the DHCP server All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the network database either by expiration inactive for a long time or by you There is no need to use a fixed IP address on a PCs Because the IP address allocated by the DHCP server never changes you do not need to assign a fixed IP address to a PC to ensure that it always has the same IP address A PC is identified by its MAC address not by its IP address The network database uses the MAC address to identify each PC or device Therefore changing a PC s IP address does not affect any restrictions applied to that PC Control over PCs can be assigned to groups and individuals You can assign PCs to groups see Manage the Network Database on page 68 on this page and apply restrictions LAN WAN outbound rules LAN DMZ outbound rules LAN WAN inbound rules and LAN DMZ inbound rules to each group see Use Rules to Block or Allow Specific
177. active after completing the wizard manually edit the VPN policy to enable keep alive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive For more information see Configure Keep alives on page 192 Tip For DHCP WAN configurations first set up the tunnel with IP addresses After you have validated the connection you can use the wizard to create new policies using the FQDN for the WAN addresses 3 Click Apply to save your settings The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled SSLYPN Certificates Connection Status IKE Policies BU DU tilfartm PN Wizard Mode Config RADIUS Client Help Name Type Local Remote Auth Encr Action O cwi to sw2 Auto Policy 192 168 1 0 255 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES Edit Client Policy Select All Enable O Disable Delete Add Figure 79 4 Configure a VPN policy on the remote gateway that allows connection to the VPN firewall Virtual Private Networking Using IPSec Connections 139 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5 Activate the IPSec VPN connection a Select VPN gt Connection Status The VPN Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view IPSec VPN SSLYPN Certificates LETT eeu icite SSL PN Connection Status Operatio
178. adcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box The broadcast of ARP packets is enabled by default for the default VLAN 5 Click Apply to save your settings Note If you attempt to configure more than 16 VLANs while the MAC address for VLANs is set to Unique on the LAN Advanced screen the MAC addresses that are assigned to each VLAN might no longer be distinct Configure Multi Home LAN IP Addresses on the Default VLAN If you have computers using different IP networks in the LAN for example 172 16 2 0 or 10 0 0 0 you can add aliases to the LAN ports and give computers on those networks access to the Internet but you can do so only for the default VLAN The IP addresses that are assigned as secondary IP addresses need to be unique and should not be assigned to the VLAN LAN Configuration 65 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 It is important that you ensure that any secondary LAN addresses are different from the primary LAN WAN and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall The following is an example of correctly configured IP addresses WAN1 IP address 10 0 0 1 with subnet 255 0 0 0 WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP address 192 168 20 1 with subnet 255 255 255 0 gt
179. address that you need to enter depends on whether or not you have specified a LAN IP network address in the Local IP Address field on the Add Mode Config Record screen of the VPN firewall e If you left the Local IP Address field blank enter the VPN firewall s default LAN IP address as the remote host address that opens the VPN tunnel For example enter 192 168 1 1 e If you specified a LAN IP network address in the Local IP Address field enter the address that you specified as the remote host address that opens the VPN tunnel Subnet Mask Enter 255 255 255 0 as the remote subnet mask of the VPN firewall that opens the VPN tunnel This is the LAN IP subnet mask that you specified in the Local Subnet Mask field on the Add Mode Config Record screen of the VPN firewall If you left the Local Subnet Mask field blank enter the VPN firewall s default IP subnet mask Virtual Private Networking Using IPSec Connections 188 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 47 VPN client IPSec configuration settings Mode Config continued Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop down list Authentication Select SHA 1 as the authentication algorithm from the drop down list Mode Select Tunnel as the encapsulation mode from the drop down list PFS and Group Select the PFS check box and then select the DH2 1024 key group from the drop down
180. adio button to enable and configure the primary RADIUS server and then enter the settings for the three fields to the right The default setting is that the No radio button is selected Primary Server IP Address The IP address of the primary RADIUS server Secret Phrase A shared secret phrase to authenticate the transactions between the client and the primary RADIUS server The same secret phrase needs to be configured on both the client and the server Primary Server NAS Identifier The primary Network Access Server NAS identifier that needs to be present in a RADIUS request Note The VPN firewall functions as a NAS allowing network access to external users after verification of their authentication information Ina RADIUS transaction the NAS needs to provide a NAS identifier information to the RADIUS server Depending on the configuration of the RADIUS server the VPN firewall s IP address might be sufficient as an identifier or the server might require a name which you need to enter in this field Backup RADIUS Server Select the Yes radio button to enable and configure the backup RADIUS server and then enter the settings for the three fields to the right The default setting is that the No radio button is selected Virtual Private Networking Using IPSec Connections 175 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 42 RADIUS Client screen settings continued Settings
181. administrators have read write access All other users have read only access Note The default password for the administrator and for a guest to access the VPN firewall s web management interface is password gt To modify user settings 1 Select Users gt Users The Users screen displays see Figure 140 on page 227 2 Inthe Action column of the List of Users table click the Edit table button for the user for which you want to modify the settings The Edit User screen displays Figure 145 Operation succeeded Username guest User Authentication Type local Select User Type Check to Edit Password Enter Your Password New Password Confirm New Password Idle Timeout 3 Enter the settings as explained in the following table Table 60 Edit User screen settings Setting Description User Type From the drop down list select one of the pre defined user types that determines the access credentials e Administrator User who has full access and the capacity to change the VPN firewall configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configure Extended Authentication XAUTH on page 172 e Guest User User who can only view the VPN firewall configuration that is r
182. age 25 2 Click the Edit table button in the Action column of the WAN interface for which you want to automatically configure the connection to the Internet The WAN ISP Settings screen displays see Figure 11 on page 26 which shows the WAN1 ISP Settings screen as an example 3 Locate the IPS Login section on the screen Help O Yes No Does Your Internet Connection Require a Login Login Password Figure 13 Connecting the VPN Firewall to the Internet 28 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the ISP Login section select one of the following options e If your ISP requires an initial login to establish an Internet connection select Yes The default is No e Ifa login is not required select No and ignore the Login and Password fields If you selected Yes enter the login name in the Login field and the password in the Password field This information is provided by your ISP In the ISP Type section of the screen select the type of ISP connection that you use from the three listed options By default Other PPPoE is selected as shown in the following figure nhelp Which type of ISP connection do you use Account Name CL J O Austria PPTP DomainName S Other PPPoE Idle Timeout O Keep Connected idle Timeout Connection Reset Disconnect Time Delay 0 Sec My IP Address Server IP Address Figure 14 If your connection is PPTP
183. ain of the VPN firewall the default group is also named geardomain The default group geardomain is assigned to the default domain geardomain You cannot delete the default domain geardomain nor its associated default group geardomain AN IMPORTANT When you create a new domain on the Domains screen see the previous section a default group with the same name as the new domain is created automatically The name of a default group is appended by an asterisk and you cannot delete a default group However when you delete the domain with which it is associated the default group is deleted automatically Note IPSec VPN users always belong to the default domain geardomain and are not assigned to groups Note Groups that are defined on the User screen are used for setting SSL VPN policies These groups should not be confused with LAN groups that are defined on the LAN Groups screen and that are used to simplify firewall policies For information about LAN groups see Manage Groups and Hosts LAN Groups on page 67 Create and Delete Groups gt To create a VPN group 1 Select Users gt Groups The Groups screen displays The following figure shows the VPN firewall s default group geardomain and as an example several other groups in the List of Groups table Managing Users Authentication and Certificates 224 o Default Groups Add New Group Figure 138 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX
184. ains on page 219 You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name Virtual Private Networking Using SSL Connections 198 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note The VPN firewall s default portal address is https lt P_Address gt portal SSL VPN The default domain geardomain is attached to the SSL VPN portal You can define individual layouts for the SSL VPN portal The layout configuration includes the menu layout theme portal pages to display and web cache control options The default portal layout is the SSL VPN portal You can add additional portal layouts You can also make any portal the default portal for the VPN firewall by clicking the Default button in the Action column of the List of Layouts table to the right of the desired portal layout gt To create a new SSL VPN portal layout 1 Select VPN gt SSL VPN gt Portal Layouts The Portal Layout screen displays The following figure shows layouts in the List of Layouts table as an example The IP address that is shown in this figure do not relate to other figures and examples in this manual IPSec VPN Certificates Connection Status Policies Resources Portal Layouts ETICA SSL YPN Client Port Forwarding Operation succeeded Help Use Portal URL Action Count https 99 180 226 101 portal SSL PN edic Default i https
185. al user database is first checked If the user account is not present in the local user database the VPN firewall connects to a RADIUS server For more information see RADIUS Client Configuration on page 174 e Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 174 Username The user name for XAUTH Password The password for XAUTH 4 Click Apply to save your settings The IKE policy is added to the List of IKE Policies table gt To edit an IKE policy 1 Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view see Figure 104 on page 160 2 Inthe List of IKE Policies table click the Edit table button to the right of the IKE policy that you want to edit The Edit IKE Policy screen displays This screen shows the same field as the Add IKE Policy screen see Figure 105 on page 161 3 Modify the settings that you wish to change see the previous table 4 Click Apply to save your changes The modified IKE policy is displayed in the List of IKE Policies table Configure VPN Policies You can create two types of VPN policies When you use the VPN Wizard to create a VPN policy only the Auto method is available e Manual You manually enter all settings including the keys for the VPN tunnel on the VPN firewall and on the remote VPN endpoint No third party server
186. all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the drop down list select the service to which the SSL VPN policy is applied e VPN Tunnel The policy is applied only to a VPN tunnel Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the drop down list select whether the policy permits PERMIT or denies DENY access 4 Click Apply to save your settings The policy is added to the List of SSL VPN Policies table on the Policies screen The new policy goes into effect immediately Virtual Private Networking Using SSL Connections 215 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note If you have configured SSL VPN user policies ensure that HTTPS remote management is enabled see Configure Remote Management Access on page 250 If HTTPS remote management is not enabled all SSL VPN user connections are disabled gt To edit an SSL VPN policy 1 On the Policies screen see Figure 130 on page 212 click the Edit button in the Action column for the SSL VPN policy that you want to modify The Edit SSL VPN Policy screen displays This screen is identical to the Add SSL VPN Policy screen see previous screen 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To
187. an IP address is fixed an FQDN is optional Network Planning for Multiple WAN Ports 318 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter Client to Gateway through a NAT Router Note The telecommuter case presumes the home office has a dynamic IP address and NAT router The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall such as an VPN firewall at the company office Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Telecommuter Single Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance The gateway WAN port needs to act as the responder 10 5 6 0 24 Telecommuter Example Single WAN Port Client B Gateway A NAT Router B WAN IP WAN IP LAN Po Ea FQDN 0 0 0 0 10 5 6 1 os VPN Router bzrouterdyndns org NAT Router 9 at employer s Fully Qualified Domain Names FQDN af telacommaters Remote PC main office optional for Fixed IP addresses nen running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 198 The IP address of the gateway WAN port can be either fixed
188. an auto rollover has occurred the VPN tunnel will be reestablished using the backup WAN interface Virtual Private Networking Using IPSec Connections 138 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 29 IPSec VPN Wizard settings for a gateway to gateway tunnel continued Setting Description End Point Information 4 What is the Remote WAN s IP Enter the IP address or Internet name FQDN of the WAN interface on Address or Internet Name the remote VPN tunnel endpoint What is the Local WAN s IP When you select the Gateway radio button in the About VPN Wizard Address or Internet Name section of the screen the IP address of the VPN firewall s active WAN interface is automatically entered Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IP address of the remote gateway Address Note The remote LAN IP address needs to be in a different subnet than the local LAN IP address For example if the local subnet is 192 168 1 x then the remote subnet could be 192 168 10 x but could not be 192 168 1 x If this information is incorrect the tunnel will fail to connect What is the remote LAN Subnet Enter the LAN subnet mask of the remote gateway Mask a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and an FQDN is not supported Tip To ensure that tunnels stay
189. and firewall in order to protect the network from incoming threats and provide secure connections To complement the firewall protection NETGEAR advises that you use a gateway security appliance such as a NETGEAR ProSecure STM appliance gt Generally seven steps are required to complete the Internet connection of your VPN firewall 1 Connect the VPN firewall physically to your network Connect the cables and restart your network according to the instructions in the installation guide See the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps A PDF of the Installation Guide is on the NETGEAR website at http support netgear com app products model a_id 13568 2 Log in to the VPN firewall After logging in you are ready to set up and configure your VPN firewall See Log In to the VPN Firewall on page 20 3 Configure the Internet connections to your ISPs During this phase you connect to your ISPs You can also program the WAN traffic meters at this time if desired See Configure the Internet Connections on page 24 19 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 Configure the WAN mode Select either NAT or classical routing Select load balancing mode auto rollover mode or primary single WAN mode For load balancing you can also select any necessary protocol bindings See Configure the WAN Mode on page 32 5 Configure secondary WAN addresses on the WAN ports optional Configur
190. ange First determine the address range to be assigned to VPN tunnel clients then define the address range gt To define the client IP address range 1 Select VPN gt SSL VPN gt SSL VPN Client The SSL VPN Client screen displays Virtual Private Networking Using SSL Connections 205 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN IPSec VPN Policies Resources Portal Layouts KAIS LORSITLS Port Forwarding Enable Full Tunnel Support C Primary DNS Server _ __ IC Secondary DNS Server _ _ J _ __ Client Address Range Begin Boz assesi Client Address Range End E92 168 251 254 Note Static routes should be added to reach any secure network in SPLIT TUNNEL mode In FULL TUNNEL mode all client routes will be ineffective Qhelp Destination Network Subnet Mask Action Add Routes for PN Tunnel Clients Destination Network Subnet Mask Add CA O Litt it aaa Figure 127 Complete the settings as explained the following table Table 52 SSL VPN client IP address range settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full tunnel support If you leave this check box cleared which is the default setting split tunnel support is enabled and you need to add client routes see Add Routes for VPN Tunnel Clients on page 207 Note When full tunnel support is enabled client routes are not
191. ansition logic which is part of the failover algorithm These logs can be interpreted as follows The primary link failure is correctly detected after the 3rd attempt Thereafter the algorithm attempts to restart the WAN connection and checks once again to determine if WAN1 is still down This results in the 4th failure detection message If it is still down then it starts a secondary link and once the secondary link is up the secondary link is marked as active Meanwhile the primary link has failed once more and that results in the 5th failure detection message Note that the 5th failure detection message and the message suggesting that the secondary link is active have the same timestamp and so they happen in the same algorithm state machine cycle So although it appears that the failover did not happen immediately after 3 failures internally the failover process is triggered after the 3rd failure and transition to the secondary link is completed by the 5th failure The primary link is also restarted every 3 failures till it is functional again In these logs the primary link was restarted after the 6th failure that is 3 failures after the failover process was triggered Recommended Action Check the WAN settings and WAN failure detection method configured for the primary link PPP Logs This section describes the WAN PPP connection logs The PPP type can be configured from the web management interface see Manually
192. any corporations and enterprises worldwide What Is Two Factor Authentication Two factor authentication is a security solution that enhances and strengthens security by implementing multiple factors of the authentication process that challenge and confirm the users identities before they can gain access to the network There are several factors that are used to validate the users to make sure that you are who you said you are These factors are e Something you know for example your password or your PIN e Something you have for example a token with generated passcode that is 6 to 8 digits in length e Something you are for example biometrics such as fingerprints or retinal prints This appendix focuses on and discusses only the first two factors something you know and something you have This security method can be viewed as a two tiered authentication approach because it typically relies on what you know and what you have A common example of two factor authentication is a bank ATM card that has been issued by a bank institute e The PIN to access your account is something you know e The ATM card is something you have You need to have both of these factors to gain access to your bank account Similar to the way ATM cards work access to the corporate networks and data can also be strengthened using a combination of multiple factors such as a PIN and a token hardware or software to validate the users and red
193. application of the product s or circuit layout s described herein Revision History Publication Version Publish Date Comments Part Number 202 10536 02 1 0 July 2011 Added new features that are documented in the following sections Configure WAN QoS Profiles e Inbound Rules Port Forwarding and LAN WAN Inbound Services Rules e Attack Checks e Set Session Limits Create IP Groups Use the NETGEAR VPN Client Wizard to Create a Secure Connection e Manually Create a Secure Connection Using the NETGEAR VPN Client Configure the NETGEAR VPN Client for Mode Config Operation Configure Date and Time Service Enable the LAN Traffic Meter 202 10536 01 1 0 April 2010 Initial publication of this reference manual Contents Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 9 Key Features and Capabilities 0 000 eee 10 Quad WAN Ports for Increased Reliability and Outbound Load Balancing 6 0c cece eee eee 10 Advanced VPN Support for Both IPSec and SSL 11 A Powerful True Firewall with Content Filtering 11 Securty Foals i ockn Khe eR ee Shed SOR ee ERR R RRR RHEE DS 12 Autosensing Ethernet Connections with Auto Uplink 12 Extensive Protocol Suppor i cccavcecdeervevniwedewedcevesas 12 Easy Installation and Management aaaaaaanaa naaa eee ee eae 13 Maintenance and Support 0 002
194. are that your VPN firewall is running select Monitoring from the main navigation menu The Router Status screen displays showing the firmware version in the System Info section of the screen After you have upgraded the firmware the new firmware version is shown on the screen To download a firmware version and upgrade the VPN firewall 1 Go to the NETGEAR website at http vwww netgear com support a Under Find Your Product enter SRX5308 and then click on the product number The SRX5308 support screen displays b Click the orange Downloads tab Click the desired firmware version to reach the download page Be sure to read the release notes on the download page before upgrading the VPN firewall s software 2 Download the firmware file to your computer Note the following e If your browser is not configured to save downloaded files automatically locate the folder in which you want to save the file specify the file name and save the file e If your browser is configured to save downloaded files automatically the file is saved to your browser s download location on the hard disk 3 Select Administration gt Settings Backup and Firmware Upgrade The Settings Backup and Firmware Upgrade screen displays see the previous screen 4 In the Router Upgrade section of the screen click the Browse button 5 Locate and select the firmware file that you have downloaded 6 After you have selected the file click the Upload button
195. at the VPN firewall is using Firmware Version Secondary The secondary software version This version is for display only In the current release you cannot configure this version LAN VLAN Information For each of the four LAN ports the screen shows the IP address and subnet mask For more detailed information see the following table WAN Information For each of the four WAN ports the screen shows the IP address subnet mask and status of the port UP or DOWN For more detailed information see the following table Monitoring System Access and Performance 275 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring lt P Show Statistics System Name SRXS308 Firmware Version Primary 3 0 6 7 Firmware Version Secondary 3 0 6 5 i LAN LAN Information IP Address Subnet Mask 192 168 1 1 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 192 168 1 1 192 168 63 22 192 174 60 22 Port 4 DMZ WAN Information IP Address 10 34 116 22 255 255 255 248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Figure 166 View the Detailed Status Screen gt To view the Detailed Status screen 1 Select Monitoring gt Router Status gt Detailed Status The Detailed Status screen displays Because of the large size of the screen and to avoid duplication of information the foll
196. at you want to disable or click the Select All table button to select all services 2 Click the Delete table button Create IP Groups An IP group contains a collection of individual IP addresses that do not need to be within the same IP address range You specify an IP group as either a LAN group or WAN group and use the group as a firewall object to which you apply a firewall rule gt To create an IP group 1 Select Security gt Services gt IP Groups The IP Groups screen displays The following figure shows three groups in the Custom IP Groups table as an example Security Schedule Firewall Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering Services QoS Profiles Bidets IP Group Name IP Group Type Default LAN Group InternalSupport LAN Group PremiumSupport WAN Group Select All Delete Add New Custom IP Group IP Group Name IP Group Type e LAN Group M Figure 61 2 In the Add New Custom IP Group section of the screen do the following e Inthe IP Group Name field enter a name for the group e From the IP Group Type drop down list select LAN Group or WAN Group 3 Click Apply to save your changes The new IP group is displayed in the Custom IP Groups table 4 In the Custom IP Groups table click the Edit table button to the right of the IP group that you just created The Edit IP Group screen displays The following figure shows three IP addresses in the IP Addresses Gr
197. bility so that the VPN client can easily communicate with the VPN firewall or third party VPN devices The Configuration Wizard does not let you enter the local and remote IDs so you need to manually enter this information Virtual Private Networking Using IPSec Connections 143 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed gt To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall 1 Right click the VPN client icon in your Windows system tray and select Configuration Panel The Configuration Panel screen displays Netgear ProSafe VPN Client Professional X NETGEAR PROSArG Built for Business E Goba Parameters VPN Configuration Written by VpnConf 3 00 Last modification 06 22 2011 Figure 84 1 From the main menu on the Configuration Panel screen select Configuration gt Wizard The Choice of the remote equipment wizard screen screen 1 of 3 displays Virtual Private Networking Using IPSec Connections 144 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Configuration Wizard Choice of the remote equipment Please choose the equipment with which you want to open a tunnel Another computer 4 router or a YPN gateway Figure 85 2 Select the A router or a VPN gateway radio button and click Next The VPN tunnel parameters wizard s
198. bits The higher the group the more secure the exchange From the drop down list select one of the following three strengths e Group 1 768 bit e Group 2 1024 bit This is the default setting e Group 5 1536 bit Note Ensure that the DH Group is configured identically on both sides SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out rekeying occurs The default is 28800 seconds 8 hours Enable Dead Peer Detection Note See also Configure Keep alives and Dead Peer Detection on page 191 Select a radio button to specify whether or not Dead Peer Detection DPD is enabled e Yes This feature is enabled When the VPN firewall detects an IKE connection failure it deletes the IPSec and IKE SA and forces a reestablishment of the connection You need to specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field e No This feature is disabled This is the default setting Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPSec traffic is idle The default is 10 seconds The maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer The default is 3 failures Reconnect after failure count Extended A
199. ble summarizes the WAN addressing requirements FQDN or IP address for a VPN tunnel in either dual WAN mode Table 28 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover mode Load balancing mode VPN Road Warrior client to gateway Fixed FQDN required FQDN Allowed optional Dynamic FQDN required FQDN required VPN Gateway to Gateway Fixed FQDN required FQDN Allowed optional Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required FQDN Allowed optional client to gateway through a NAT router Dynamic FQDN required FQDN required a After a rollover all tunnels need to be reestablished using the new WAN IP address Virtual Private Networking Using IPSec Connections 135 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the IPSec VPN Wizard for Client and Gateway Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following scenarios e Using the wizard to configure a VPN tunnel between two VPN gateways e Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Configuring a VPN tunnel connection requires that all settings on both sides of the VPN tunnel match or mirror each o
200. by the rule Select one of the following options from the drop down list Any All Internet IP address Single address In the Start IP field enter the IP address to which the rule is applied Address range In the Start IP field and End IP field enter the IP addresses for the range to which the rule is applied Group If this option is selected the rule is applied to the selected IP WAN group Note For information about IP groups see Create P Groups on page 114 5 Click Apply to save your settings The protocol binding rule is added to the Protocol Binding table The rule is automatically enabled which is indicated by the status icon that displays a green circle gt To edit a protocol binding 1 On the Protocol Bindings screen see Figure 20 on page 38 in the Protocol Bindings table click the Edit table button to the right of the binding that you want to edit The Edit Protocol Bindings screen displays This screen shows the same fields as the Add Protocol Bindings screen see the previous figure 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To enable disable or delete one or more protocol bindings 1 On the Protocol Bindings screen see Figure 20 on page 38 select the check box to the left of the protocol binding that you want to enable disable or delete or click the Select All table button to select all bindings 2 Click on
201. calculated based on WAN link speed and available WAN bandwidth This is the default setting and most efficient load balancing algorithm e Round robin With round robin load balancing new traffic connections are sent over a WAN link in a serial method irrespective of bandwidth or link speed For example if the WAN1 WAN2 and WANS interfaces are active in round robin load balancing mode an HTTP request could first be sent over the WAN1 interface Connecting the VPN Firewall to the Internet 37 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 then a new FTP session could start on the WAN2 interface and then any new connection to the Internet could be made on the WANS interface This load balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions 3 Click Apply to save your settings Configure Protocol Binding Optional gt To configure protocol binding and add protocol binding rules 1 Select Network Configuration gt Protocol Binding 2 Select the Load Balancing radio button The Protocol Bindings screen displays The following figure shows two examples in the Protocol Binding table Network Configuration Dynamic DNS LAN Settings DMZ Setup Routing Qos Protocol Bindings Help Service Local Gateway Source Network Destination Network Action oe AIM WANI ANY PremiumSupport edi o D FTP WANS 172 28 1 10 172 28 1 29 ANY Protocol Binding is used when Loa
202. ce 90 overview 83 reducing traffic 243 scheduling 121 service blocking 83 settings 84 P package contents VPN firewall 14 packet matching and marking 48 49 packets accepted and dropped configuring logs 271 capturing diagnostics 291 collided received and transmitted 280 dropped because of session limits 110 PAP Password Authentication Protocol See also RADIUS PAP MIAS PAP or WiKID PAP 220 pass through multicast 108 passwords changing 233 234 248 249 default 21 RADIUS WiKID MIAS 222 restoring 299 Perfect Forward Secrecy PFS 172 179 performance management 242 permanent IP address 27 31 PFS Perfect Forward Secrecy 172 179 physical specifications 303 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pinging auto rollover 34 responding on Internet ports 107 responding on LAN ports 108 troubleshooting TCP IP 298 using the ping utility 289 pinouts console port 16 placement location of the VPN firewall 17 plug and play configuring 132 policies IKE managing 159 165 ModeConfig operation configuring 179 IPSec VPN automatically generated 165 groups configuring 224 managing 159 manually generated 165 SSL VPN managing 210 215 policy hierarchy 210 pools ModeConfig operation 178 port filtering reducing traffic 243 rules 83 port forwarding firewall rules 83 86 reducing traffic 245 port triggering configuring 130 132 increasing traffic 246 status monitoring 132 285 Port VLAN Id
203. cece eee ees 13 Package Contents cc cacek dak ba Lae ended eee eka bia ew dee k wae 14 Hardware Features cicccc ddan canned vadeehans dERSRERERS HERR OHO 14 Front PANG ii adn dik thd hie ead eek HR ed a ba agi kee wed 14 Pee PANG cater nen nr aeeheseadkdaneraendien te Guawaees 16 Bottom Panel with Product Label 0 00000ss0e0 00sec 17 Choose a Location for the VPN Firewall 000000eeeaee 17 Using the Rack Mounting Kit 2 0 e eee eee 18 Chapter 2 Connecting the VPN Firewall to the Internet Internet and WAN Configuration Tasks 000e cee aeee 19 Qualified Web Browsers s an aaan a aaarnas 20 Log In tothe VPN Firewall ccc cake ee eew duck de cece eee 20 Web Management Interface Menu Layout 23 Configure the Internet Connections 0000 cece eee 24 Automatically Detecting and Connecting 000 cece eee 25 Set the VPN Firewalls MAC Address 0 00000 cece eee eee 28 Manually Configure the Internet Connection 0000 28 Configure the WAN Mode 0000 eee eee eee eee 32 Configure Network Address Translation 000e cee eee 33 Configure Classical ROUING crases ionerrrnt teriko nd tenar 33 Configure the Auto Rollover Mode and Failure Detection Method 34 Configure Load Balancing and Optional Protocol Binding 36 Configure Secondary WAN Addresses 0 000 cece ene eee 41 G nigure Dynamic DNG stn a
204. ceeeoeecees IPSec Host Apply Reset Figure 105 Virtual Private Networking Using IPSec Connections 161 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Complete the settings as explained the following table Table 38 Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record Specify whether or not the IKE policy uses a Mode Config record For information about how to define a Mode Config record see Mode Config Operation on page 176 Select one of the following radio buttons e Yes IP addresses are assigned to remote VPN clients You need to select a Mode Config record from the drop down list e No Disables Mode Config for this IKE policy Note Because Mode Config functions only in Aggressive mode selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs Note An XAUTH configuration via an edge device is not possible without Mode Config and is therefore disabled too For more information about XAUTH see Configure Extended Authentication XAUTH on page 172 Select Mode From the drop down list select one of the Mode Config Config Record records that you defined on the Add Mode Config Record screen see Configure Mode Config Operation on the VPN Firewall on page 177 Note Click the View
205. ceived View the WAN Port Connection Status You can view the status of a WAN connection with its associated DNS servers and DHCP servers gt To view the status of a WAN connection 1 2 Select Network Configuration gt WAN Settings The WAN screen displays see Figure 10 on page 25 Click the Status button in the Action column of the WAN interface for which you want to view the connection status The Connection Status screen appears in a popup window Monitoring System Access and Performance 285 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Connection Status Operation succeeded Connection Time 0 Days 01 16 37 Connection Type Static IP Connection State Connected IP Address 10 34 116 22 Subnet Mask 255 255 255 248 Gateway 10 34 116 23 DNS Server 10 151 34 170 Figure 175 isc onnect The Connection Status screen displays the information that is described in the following table The information that is shown on the Connection Status screen depends on the nature of the connection static IP address or dynamically assigned IP address Therefore not all information that is described in the following table might be shown Table 74 WAN port Connection Status screen information Item Description Connection Time The period that the VPN firewall has been connected through the WAN port Connection Type The connection type can be either DHCP or Static IP Con
206. ces NAT Classical Routing Load Balancing Mode Weighted LB Primary WAN Mode WANI Auto Rollover Secondary Figure 17 Connecting the VPN Firewall to the Internet 34 2 3 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Load Balancing Settings section of the screen configure the following settings a Select the Primary WAN Mode radio button b From the corresponding drop down list on the right select a WAN interface to function as the primary WAN interface The other WAN interfaces become disabled c Select the Auto Rollover check box d From the corresponding drop down list on the right select a WAN interface to function as the backup WAN interface Note Ensure that the backup WAN interface is configured before enabling auto rollover mode Click Apply to save your settings Configure the Failure Detection Method gt To configure failure detection method 1 2 Select Network Configuration gt WAN Settings The WAN screen displays see Figure 10 on page 25 Click the Edit table button in the Action column of the WAN interface that you selected as the primary WAN interface The WAN ISP Settings screen displays see Figure 17 on page 26 which shows the WAN1 ISP Settings screen as an example Click the Advanced option arrow in the upper right of the screen The WAN Advanced Options screen displays for the WAN interface that you selected For an image of the entire
207. ch the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link For more information see Create Bandwidth Profiles on page 118 Bandwidth limiting occurs in the following ways e For outbound traffic On the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic On the LAN interface for all WAN modes Note Bandwidth limiting does not apply to the DMZ interface Note Some residential broadband ISP accounts do not allow you to run any server processes such as a web or FTP server from your location Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location If you are unsure see the Acceptable Use Policy of your ISP Order of Precedence for Rules As you define a new rule it is added to a table in a Rules screen as the last item in the list as shown in the LAN WAN Rules screen example in Figure 47 on page 91 For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules table beginning at the top and proceeding to the bottom In some cases the order of precedence of two or more rules might be important in determining
208. cifies how many steps hops each UPnP packet is allowed to propagate before being discarded Small values will limit the UPnP broadcast range The default setting is 4 hops 4 Click Apply to save your settings To refresh the contents of the UPnP Portmap Table click Refresh Firewall Protection 133 Virtual Private Networking Using IPSec Connections This chapter describes how to use the IP security IPSec virtual private networking VPN features of the VPN firewall to provide secure encrypted communications between your local network and a remote network or computer This chapter contains the following sections e Considerations for Multi WAN Port Systems e Use the IPSec VPN Wizard for Client and Gateway Configurations Test the Connection and View Connection and Status Information Manage IPSec VPN Policies e Configure Extended Authentication XAUTH e Assign IP Addresses to Remote Users Mode Config e Configure NetBIOS Bridging with IPSec VPN e Configure Keep alives and Dead Peer Detection Considerations for Multi WAN Port Systems If two WAN ports of the VPN firewall are configured you can enable either auto rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency Your WAN mode selection impacts how the VPN features need to be configured The use of fully qualified domain names FQDNs in VPN policies is mandatory when the WAN ports function in auto rollover mode o
209. cify the services or applications to be covered by an outbound rule If the desired service or application does not appear in the list you need to define it Network and System Management 243 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on the Services screen see Services Based Rules on page 83 and Add Customized Services on page 112 e LAN users You can specify which computers on your network are affected by an outbound rule There are several options Any The rule applies to all PCs and devices on your LAN Single address The rule applies to the address of a particular PC Address range The rule applies to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the network database which is described in Manage the Network Database on page 68 PCs and network devices are entered into the network database by various methods that are described in Manage Groups and Hosts LAN Groups on page 67 e WAN users You can specify which Internet locations are covered by an outbound rule based on their IP address Any The rule applies to all Internet IP addresses Single address The rule applies to a single Internet IP address Address range The rule applies to a range of Interne
210. ckets Dropped due to Session Limit 0 i Session Timeout Hel TCP Timeout Seconds UDP Timeout Seconds ICMP Timeout Seconds Figure 57 2 Click the Yes radio button under Do you want to enable Session Limit Firewall Protection 109 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Enter the settings as explained in the following table Table 21 Session Limit screen settings Setting Description Session Limit Session Limit Control From the drop down list select one of the following options e When single IP exceeds When the limit is reached no new session is allowed from the IP address A new session is allowed only when an existing session is terminated or times out e Single IP Cannot Exceed When the limit is reached no new session is allowed from the IP address for a specified period or all sessions from the IP address are terminated and new sessions are blocked for a specified period You need to specify the action and period by selecting one of the following radio buttons Block IP to add new session for No new session is allowed from the IP address for a period In the time field specify the period in seconds Block IP s all connections for All sessions from the IP address are terminated and new sessions are blocked for a period In the time field specify the period in seconds User Limit Parameter From the User Limit Parameter drop down list select o
211. client It might be less confusing to configure an FQDN such as client com as the remote ID on the VPN firewall and then enter client com as the local ID on the VPN client Remote ID As the type of ID select DNS from the Remote ID drop down list because you specified an FQDN in the VPN firewall configuration As the value of the ID enter srx_local com as the remote ID for the VPN firewall Note The local ID on the VPN firewall is the remote ID on the VPN client It might be less confusing to configure an FQDN such as router com as the local ID on the VPN firewall and then enter router com as the remote ID on the VPN client 8 Click Apply to use the new settings immediately and click Save to keep the settings for future use Create the IPSec Configuration Phase 2 Settings Note On the VPN firewall the IPSec configuration phase 2 settings is referred to as the IKE settings gt To create an IPSec configuration 1 2 In the tree list pane of the Configuration Panel screen right click the vpn_client authentication phase name and then select New Phase 2 Change the name of the IPSec configuration the default is Tunnel a Right click the IPSec configuration name b Select Rename c Type netgear_platform d Click anywhere in the tree list pane Note This is the name for the IPSec configuration that is used only for the VPN client not during IPSec negotiation You can view and change this name i
212. configuration the default is Tunnel a Right click the IPSec configuration name b Select Rename c Type Tunnel_ModeConfig d Click anywhere in the tree list pane Note This is the name for the IPSec configuration that is used only for the VPN client not during IPSec negotiation You can view and change this name in the tree list pane This name needs to be a unique name Virtual Private Networking Using IPSec Connections 187 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPSec pane displays in the Configuration Panel screen with the IPSec tab selected by default Netgear ProSafe VPN Client Professional A BR Configuration Tools NETGEAR PROSAFE E VPN Configuration E Global Parameters I GW_ModeConfig Figure 116 Sulit tor Business IPSec Advanced Scripts Addresses VPN Client address Address type Remote LAN address Subnet mask Encryption Authentication Mode Dei2 1024 Specify the settings that are explained in the following table Table 47 VPN client IPSec configuration settings Mode Config Setting Description VPN Client address This field is masked out because Mode Config is selected After an IPSec connection is established the IP address that is issued by the VPN firewall displays in this field see Figure 121 on page 192 Address Type Select Subnet address from the drop down list Remote host address The
213. connects your local area network LAN to the Internet through up to four external broadband access devices such as cable modems or DSL modems Four wide area network WAN ports allow you to increase effective data rate to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup connections in case of failure of your primary Internet connection The VPN firewall is a complete security solution that protects your network from attacks and intrusions For example the VPN firewall provides support for stateful packet inspection SPI denial of service DoS attack protection and multi NAT support The VPN firewall supports multiple web content filtering options plus browsing activity reporting and instant alerts both via email Network administrators can establish restricted access policies based on time of day website addresses and address keywords The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple remote connections The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds The VPN firewall is a plug and play device that can be installed and configured within minutes ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Key Features and Capabilities The VPN firewall provides the following key features and capabilities e Four 10 100 1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover protection of your Internet connecti
214. contains the extKeyUsage extension that is defined for SNMPV2 the same certificate cannot be used for secure web management The extKeyUsage would govern the certificate acceptance criteria on the VPN firewall when the same digital certificate is being used for secure web management On the VPN firewall the uploaded digital certificate is checked for validity and purpose The digital certificate is accepted when it passes the validity test and the purpose matches its use The purpose needs to correspond to its use for IPSec VPN SSL VPN or both If the defined purpose is for IPSec VPN and SSL VPN the digital certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN certificate repository However if the defined purpose is for IPSec VPN only the certificate is uploaded only to the IPSec VPN certificate repository The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients and to be authenticated by remote entities A digital certificate that authenticates a server for example is a file that contains the following elements e A public encryption key to be used by clients for encrypting messages to the server e Information identifying the operator of the server e A digital signature confirming the identity of the operator of the server Ideally the signature is from a trusted third party whose identity can be verified Managing Users Authentication and Certificates 234
215. creen screen 2 of 3 displays VPN Configuration Wizard PN tunnel parameters Enter the Following parameters for the YPN tunnel IP or ONS public external address 10 34 116 22 of the remote equipment Preshared key eeecccccccoccoss IP private internal address 192 168 1 0 the remote network Figure 86 3 Specify the following VPN tunnel parameters e IP or DNS public external address of the remote equipment Enter the remote IP address or DNS name of the VPN firewall For example enter 10 34 116 22 e Preshared key Enter the pre shared key that you already specified on the VPN firewall For example enter I7 KL39dFG_8 IP private internal address of the remote network Enter the remote private IP address of the VPN firewall For example enter 192 168 1 0 This IP address enables communication with the entire 192 168 1 x subnet 4 Click Next The Configuration Summary wizard screen screen 3 of 3 displays Virtual Private Networking Using IPSec Connections 145 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Configuration Wizard Configuration Summary The tunnel configuration is correctly completed Tunnel name Gateway 1 Remote Equipment Router or VPN gateway IP or name of this equipment 10 34 116 22 Preshared key sHetetonin IP address of the remote network 192 168 1 0 Subnet mask 255 255 255 0 You may change these parameters anytime directly with the ma
216. curity e PCs hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the computers on the LAN Port forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the VPN firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e DMZ port Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can use the dedicated demilitarized zone DMZ port to forward the traffic to one PC on your network Autosensing Ethernet Connections with Auto Uplink With its internal four port 10 100 1000 Mbps switch and four 10 100 1000 WAN ports the VPN firewall can connect to either a 10 Mbps standard Ethernet network a 100 Mbps Fast Ethernet network or a 1000 Mbps Gigabit Ethernet network The four LAN and four WAN interfaces are autosensing and capable of full duplex or half duplex operation The VPN firewall incorporates Auto Uplink technology Each Ethernet port automatically senses whether the Ethernet cable plugged into the por
217. d Firewall Protection 99 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the LAN to the DMZ is allowed gt To create a new inbound LAN DMZ service rule 1 In the LAN DMZ Rules screen click the Add table button under the Inbound Services table The Add LAN DMZ Inbound Service screen displays Add LAN DMZ Inbound Service Service Action Select Schedule LAN Users Start DMZ Users Start Figure 50 Operation succeeded BLOCK always v Schedule 1 n End End 2 Enter the settings as explained in Table 19 on page 88 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Firewall Protection 100 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rules Examples LAN WAN Inbound Rule Hosting a Local Public Web Server If you host a public web server on your local network you can define a rule to allow inbound web HTTP requests from any outside IP address to the IP address of your web server at any time of the day Add LAN WAN Inbound Service LAN WAN Inbound Service Operation succeeded Qdelp Service HTTP lt Action ALLOW always Select Schedule Schedule 1 Send to Lan Server start i92
218. d Private If you want to limit access to the LAN only select the Private check box Doing so prevents the static route from being advertised in RIP Destination IP Address The destination IP address of the host or network to which the route leads Subnet Mask The IP subnet mask of the host or network to which the route leads If the destination is a single host enter 255 255 255 255 Interface From the drop down list select the interface that is the physical network interface WAN1 WAN2 WANS WAN4 or DMZ or virtual interface VLAN profile through which the route is accessible Gateway IP Address The gateway IP address through which the destination host or network can be reached Metric The priority of the route Select a value between 2 and 15 If multiple routes to the same destination exist the route with the lowest metric is used 4 Click Apply to save your settings The new static route is added to the Static Routes table gt To edit a static route that is in the Static Routes table 1 On the Routing screen see Figure 39 on page 76 click the Edit button in the Action column for the route that you want to modify The Edit Static Route screen displays This screen is identical to the Add Static Route screen see the previous screen 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To delete one or more routes 1 On the Routing
219. d Balancing option is selected in WAN Mode Select all Delete Enable Disable Add Figure 20 The Protocol Binding table displays the following fields e Check box Allows you to select the protocol binding rule in the table e Status icon Indicates the status of the protocol binding rule Green circle The protocol binding rule is enabled Gray circle The protocol binding rule is disabled e Service The service or protocol for which the protocol binding rule is set up e Local Gateway The WAN interface to which the service or protocol is bound e Source Network The computers or groups on your network that are affected by the protocol binding rule e Destination Network The Internet locations based on their IP address or groups that are covered by the protocol binding rule Action The Edit table button provides access to the Edit Protocol Binding screen for the corresponding service 3 Click the Add table button below the Protocol Binding table The Add Protocol Binding screen displays Connecting the VPN Firewall to the Internet 38 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Protocol Binding Figure 21 Operation succeeded Service ANY Local Gateway WANI Source Network Any Start IP foo End IP as58 Destination Network Any Start IP nooo enar CJI H JIO 4 Configure the protocol binding settings as explained in the following table Tab
220. d Remote ID Local ID As the type of ID select DNS from the Local ID drop down list because you specified FQDN in the VPN firewall configuration As the value of the ID enter srx_remote com as the local ID for the VPN client Note The remote ID on the VPN firewall is the local ID on the VPN client It might be less confusing to configure an FQDN such as client com as the remote ID on the VPN firewall and then enter client com as the local ID on the VPN client Remote ID As the type of ID select DNS from the Remote ID drop down list because you specified an FQDN in the VPN firewall configuration As the value of the ID enter srx_local com as the remote ID for the VPN firewall Note The local ID on the VPN firewall is the remote ID on the VPN client It might be less confusing to configure an FQDN such as router com as the local ID on the VPN firewall and then enter router com as the remote ID on the VPN client 7 Configure the global parameters a Click Global Parameters in the left column of the Configuration Panel screen The Global Parameters pane displays in the Configuration Panel screen Virtual Private Networking Using IPSec Connections 147 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Netgear ProSafe VPN Client Professional l xJ NETGEAR di A_ Af nt PROSAFE Built for Business _ _ Global Parameters Lifetime sec Default Minimal Maximal Authenticat
221. d activate logs 1 Select Monitoring gt Firewall Logs amp E mail The Firewall Logs amp E mail screen displays Monitoring System Access and Performance 269 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring Firewall Logs amp E mail Log Identifier i Routing Logs if System Logs if Change of time by NTP Login attempts Accepted Packets Dropped Packets LAN to WAN E LAN to wan Secure Login attempts LAN to OMZ LAN to OMZ Reboots All Unicast Traffic WAN to LAN All Broadcast Multicast Traffic WAN to LAN o DMZ to WAN 0 Dm to wan 4 o DMZ to LAN DMZ to LAN WAN Status WAN to DMZ C WAN to DMZ Resolved DNS Names onoo0a00coongs VPN Other Event Logs O Source MAC Filter O Session Limit i Enable E Mail Logs Do you want logs to be emailed to you E Mail Server Address oie Return E Mail Address N Mai oe sendoe ptim No Authentication Login Plain CRAM MDS Username Password o Respond to Identd from SMTP Server ii Send e mail logs by Schedule i Enable SysLogs Do you want to enable syslog Syslog Serve ____ Yes Syslog Severity LOG DEBUG _ O No Figure 164 Monitoring System Access and Performance 270 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Enter the settings as explained in the following table Table 67 Firewall Logs amp E mail screen settings Setti
222. d operation 345 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference Warnings amp Instructions This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following methods e Reorient or relocate the receiving antenna e Increase the separation between the equipment and the receiver e Connect the equipment into an electrical outlet on a circuit different from that which the radio receiver is connected e Consult the dealer or an experienced radio TV technician for help Modifications made to the product unless expressly approved by NETGEAR Inc could void the user s right to operate the equipment Canadian Department of Communications Radio Interference Regulations This digital apparatus ProSafe Gigabit Quad W
223. d traffic and that are common to most Inbound Service screens see Figure 44 on page 94 Figure 47 on page 97 and Figure 50 on page 100 The steps to configure inbound rules are described in the following sections e Set LAN WAN Rules e Set DMZ WAN Rules e Set LAN DMZ Rules Firewall Protection 87 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19 Inbound rules overview Setting Description Service The service or application to be covered by this rule If the service or application does not appear in the list you need to define it using the Services screen see Add Customized Services on page 112 Action The action for outgoing connections covered by this rule e BLOCK always e BLOCK by schedule otherwise allow e ALLOW always e ALLOW by schedule otherwise block Note Any inbound traffic that is not blocked by rules you create is allowed by the default rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule This drop down list is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Set a Schedule to Block or Allow Specific Traffic on page 121 Send to LAN Server The LAN server address determines which computer on your network is hosting this service rule You can also translate this address to a
224. database You can add users on the Add User screen see User Database Configuration on page 174 e Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the VPN firewall connects to a RADIUS server For more information see RADIUS Client Configuration on page 174 e Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 174 Username The user name for XAUTH Password The password for XAUTH 4 Click Apply to save your settings User Database Configuration When XAUTH is enabled in an Edge Device configuration users are authenticated either through a local user database account or by an external RADIUS server Whether or not you use a RADIUS server you might want some users to be authenticated locally These users need to be added to the List of Users table on the Users screen as described in Configure User Accounts on page 227 RADIUS Client Configuration Remote Authentication Dial In User Service RADIUS RFC 2865 is a protocol for managing authentication authorization and accounting AAA of multiple users in a network A RADIUS server stores a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to netw
225. delete one or more SSL VPN policies 1 On the Policies screen see Figure 130 on page 212 select the check box to the left of the SSL VPN policy that you want to delete or click the Select All table button to select all policies 2 Click the Delete table button Access the SSL Portal Login Screen display a user portal link at the right upper corner above the menu bars When you click the user portal link the SSL VPN default portal opens see Figure 133 on page 217 This user portal is not the same as the new SSL portal login screen that you defined in Create the Portal Layout on page 198 All screens that you can access from the SSL VPN menu of the web i ement interface User Portal gt To open the new SSL portal login screen 1 Select VPN gt SSL VPN gt Portal Layouts The Portal Layout screen displays see Figure 124 on page 199 2 In the Portal URL column of the List of Layouts table click a URL The new SSL portal login screen displays The following figure displays the previously created CustomerSupport portal layout as an example Virtual Private Networking Using SSL Connections 216 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 NETGEAR o PROSAFE OSAFE Welcome to Customer Support ii NETGEAR Configuration Manager Login Hi Username TestUser Password Passcode Domain Figure 132 3 Enter a user name and password that are associated with the SSL portal and the doma
226. dit IKE Policy screen displays The following figure shows only the IKE SA Parameters section of the screen Encryption Algorithm 3DES v Authentication Algorithm Authentication Method Pre shared key RSA Signature Pre shared key H8 spsf3 JYK2 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit v SA Lifetime sec Enable Dead Peer Detection Yes No Detection Period 30___ Seconds Reconnect after failure count Figure 122 Virtual Private Networking Using IPSec Connections 193 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 In the IKE SA Parameters section of the screen locate the DPD fields and complete the settings as explained the following table Table 49 Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD When the VPN firewall detects an IKE connection failure it deletes the IPSec and IKE SA and forces a reestablishment of the connection You need to specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPSec traffic is idle The default setting is 10 seconds Reconnect after The maximum number of DPD
227. dministrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for the connections covered by the rule e BLOCK always e BLOCK by schedule otherwise Allow e ALLOW always e ALLOW by schedule otherwise Block The following section summarizes the various criteria that you can apply to inbound rules and that might increase traffic For more information about inbound rules see nbound Rules Port Forwarding on page 86 For detailed procedures on how to configure inbound rules see Set LAN WAN Rules on page 91 and Set DMZ WAN Rules on page 95 Network and System Management 245 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When you define inbound firewall rules you can further refine their application according to the following criteria Services You can specify the services or applications to be covered by an inbound rule If the desired service or application does not appear in the list you need to define it on the Services screen see Services Based Rules on page 83 and Add Customized Services on page 112 WAN destination IP address You can specify the destination IP address for incoming traffic Traffic is directed to the specified address only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface LAN users You can specify which computers on your network are affected by an inbound rule There are several opti
228. dpoints needs to be known in advance in order for the other tunnel end point to establish or reestablish the VPN tunnel Note When the VPN firewall s WAN port rolls over the VPN tunnel closes and needs to be reestablished using the new WAN IP address However you can configure automatic IPSec VPN rollover to ensure that an IPSec VPN tunnel is reestablished e Dual WAN ports in auto rollover mode Rollover for a VPN firewall with dual WAN ports is different from a single WAN port gateway configuration when you specify the IP address Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of a fully qualified domain name FQDN is always required even when the IP address of each WAN port is fixed Network Planning for Multiple WAN Ports 310 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN IP WANT IP N A Router WAN port active Router WAN1 port inactive a _ gt WANZ port inactive WAN2 port active WAN2Z IP N A WAN2 IP IP address of active WAN port changes after a rollover o use of fully qualified domain names always required o features requiring fixed IP address blocks not supported Figure 183 Features such as multiple exposed hosts are not supported in auto rollover mode because the IP addresses of each WAN port needs to be in the identical range of fixed ad
229. dress ff 7 Get Dynamically from ISP Client Identifier O Vendor Class Identifier Get Automatically from ISP Use These DNS Servers Use Static IP Address 5 O Primary ONS Server 0 fo oo IP Address a CO CC pees PISS Secondary ONS Server nS CC Gateway IP Address bo o E Apply Reset Test Auto Detect Figure 11 Click the Auto Detect button at the bottom of the screen The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support The auto detect process returns one of the following results e Ifthe auto detect process is successful a status bar at the top of the screen displays the results for example DHCP service detected e If the auto detect process senses a connection method that requires input from you it prompts you for the information All methods with their required settings are explained in the following table Connecting the VPN Firewall to the Internet 26 4 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 2 Internet connection methods Connection method Manual data input required DHCP Dynamic IP No data is required PPPoE Login Password Account Name Domain Name PPTP Login Password Account Name My IP Address and Server IP Address Fixed Static IP IP Address Subnet Mask and Gateway IP Address and related data supplied by yo
230. dress of a VPN tunnel client does not conflict with addresses on the local network configure an IP address range that does not directly overlap with addresses on your local network For example if 192 168 1 1 through 192 168 1 100 are currently assigned to devices on the local network then start the client address range at 192 168 1 101 or choose an entirely different subnet altogether The VPN tunnel client cannot contact a server on the local network if the VPN tunnel client s Ethernet interface shares the same IP address as the server or the VPN firewall for example if your PC has a network interface IP address of 10 0 0 45 then you cannot contact a server on the remote network that also has the IP address 10 0 0 45 Select whether you want to enable full tunnel or split tunnel support based on your bandwidth A full tunnel sends all of the client s traffic across the VPN tunnel A split tunnel sends only traffic that is destined for the local network based on the specified client routes All other traffic is sent to the Internet A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only If you enable split tunnel support and you assign an entirely different subnet to the VPN tunnel clients from the subnet that is used by the local network you need to add a client route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel Configure the Client IP Address R
231. dresses e Dual WAN ports in load balancing mode Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address Each IP address is either fixed or dynamic based on the ISP You need to use FQDNs when the IP address is dynamic but FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing WAN1 IP Router netgear1 dyndns org Use of fully qualified domain names for IP addresses of WAN ports 7 o required for dynamic IP addresses S o optional for fixed IP addresses netgear2 dyndns org WAN2 IP Figure 184 Inbound Traffic Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can configure the VPN firewall to forward it to one or more LAN hosts on your network The addressing of the VPN firewall s dual WAN port depends on the configuration being implemented Table 79 IP addressing requirements for exposed hosts in a dual WAN port configuration Configuration and Single WAN port Dual WAN port cases WAN IP address reference case Rollover Load Balancing Inbound traffic Fixed Allowed FQDN required Allowed e Port forwarding FQDN optional FQDN optional Port triggering Dynamic FQDN required FQDN required FQDN required
232. e Port Number CH 1 655325 Help Type Resource Name Port Mask Length Action IP Address 186 192 20 54 42500 42560 32 Delete Figure 129 3 Complete the settings as explained the following table Table 53 Edit Resources screen settings Setting Description Resource Name The unique identifier for the resource For information only You cannot edit the resource name after you have created it on the Resources screen Service The SSL service that is assigned to the resource For information only You cannot edit the service after you have assigned it to the resource on the Resources screen Virtual Private Networking Using SSL Connections 209 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53 Edit Resources screen settings continued Setting Description Object Type From the drop down list select one of the following options IP Address The object is an IP address You need to enter the IP address or the FQDN in the IP Address Name field IP Network The object is an IP network You need to enter the network IP address in the Network Address field and the network mask length in the Mask Length field IP Address Name Applicable only when you select IP Address as the object type Enter the IP address or FQDN for the location that is permitted to use this resource Network Address Applicable only when you select IP Network as the objec
233. e VPN firewall If all LEDs are still on more than several minutes minute after power up e Turn the power off and then turn it on again to see if the VPN firewall recovers e Reset the VPN firewall s configuration to factory defaults Doing so sets the VPN firewall s IP address to 192 168 1 1 This procedure is explained in Restore the Default Configuration and Password on page 299 If the error persists you might have a hardware problem and should contact NETGEAR Technical Support Troubleshooting and Using Online Support 294 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made check the following Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub router or workstation Make sure that power is turned on to the connected hub router or workstation Be sure you are using the correct cables When connecting the VPN firewall s WAN ports to one or two devices that provide the Internet connections use the cables that are supplied with the devices These cables could be a standard straight through Ethernet cables or an Ethernet crossover cables Troubleshoot the Web Management Interface If you are unable to access the VPN firewall s web management interface from a PC on your local network check the following Check the Ethernet connection between the PC and the
234. e VPN firewall LAN port to a VLAN packets entering and leaving that LAN port are tagged with the VLAN ID However untagged packets entering the VPN firewall LAN Configuration 56 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN port are forwarded to the default VLAN with PVID 1 packets that leave the LAN port with the same default PVID 1 are untagged Assign and Manage VLAN Profiles gt To assign VLAN profiles to the LAN ports and manage VLAN profiles 1 Select Network Configuration gt LAN Settings The LAN submenu tabs display with the LAN Setup screen in view The following figure shows the default VLAN profile and another VLAN profile as examples Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS WETS LAN Groups LAN Multi homing advanced DHCP Log Help Profile Name VLAN ID Subnet IP DHCP Status Action defaultVlan 1 192 168 1 1 DHCP Enabled Edit 192 174 60 22 DHCP Disabled edit SalesVLAN 2 select all Delete Enable O Disable Add uelp Porti Port2 Port3 Port4 DMZ defaultvlan defaultvlan defaultvlan Figure 29 For each VLAN profile the following fields are displayed in the VLAN Profiles table e Check box Allows you to select the VLAN profile in the table e Status icon Indicates the status of the VLAN profile Green circle The VLAN profile is enabled Gray circle The VLAN profile is disabled Profile Name The
235. e aliases for each WAN port See Configure Secondary WAN Addresses on page 41 6 Configure dynamic DNS on the WAN ports optional Configure your fully qualified domain names See Configure Dynamic DNS on page 42 7 Configure the WAN options optional You can enable each WAN port to respond to a ping and you can change the factory default MTU size and port speed However these are advanced features and changing them is not usually required See Configure Advanced WAN Options on page 51 Each of these tasks is detailed separately in this chapter Note For information about how to configure the WAN meters see Enable the WAN Traffic Meter on page 263 The configuration of LAN firewall scanning VPN management and monitoring features is described in later chapters Qualified Web Browsers To configure the VPN firewall you need to use a web browser such as Microsoft Internet Explorer 6 or later Mozilla Firefox 3 or later or Apple Safari 3 or later with JavaScript cookies and SSL enabled Although these web browsers are qualified for use with the VPN firewall s web management interface SSL VPN users should choose a browser that supports JavaScript Java cookies SSL and ActiveX to take advantage of the full suite of applications Note that Java is required only for the SSL VPN portal not for the web management interface Log In to the VPN Firewall To connect to the VPN firewall your computer needs to be configured to
236. e eee eee wees 81 Administrator TIDS tons cece Oot Ree oe eee whee ede ods 82 Use Rules to Block or Allow Specific Kinds of Traffic 82 Serices Based RUIS i tii toes niasa ee a edd a 83 Order of Precedence for Rules 0000 cece eee eee 90 Set LAN WAN Rules i 46 0460s bid 0S RONG dS PEATE Medes vs 91 Set DMZ WAN Rules nc ccccccca cede Kee kARD LARD O LARD r RARE ES 95 Set LAN DMZ RUGS ii os td OOS AMOR EA EEA OE 98 Inbound Miles EXampleS c2o4deeshardstaeeendeae db elaand dee a 101 Outbound Riles Examples po pecsuv seis eiusdedsvasiavrsesys 105 Configure Other Firewall Features 0 0 0 0 c cece eee ee 106 Pug CHECKS ccc tebe miacin chee Radine Reed eRe Oe ae 106 ee SUN LIMIS face cd ag ds dha ado aa ce Be wed A A gtd a 109 Manage the Application Level Gateway for SIP Sessions 111 Create Services QoS Profiles and Bandwidth Profiles 111 Add Customized Services 0 000 e eee tees 112 Greate IP GrOUDS vii e hobbit a CRA ed Pad ORAS ERA RRS 114 Create Quality of Service QoS Profiles 04 116 Create Bandwidth Profiles 4 3 cc000e0 000 8Guve ed ev ees ve ved eas 118 Set a Schedule to Block or Allow Specific Traffic 121 Gontent FRIIS ec od dh re RR a ad OBE RMR GRA eee 123 COMON PURO craven ncaa species san aE 123 Enable and Configure Content Filtering 2 0 124 Enable Source MAC Filtering 0 0 00 e eee e eee eee 12
237. e not defined any rules no rules are listed By default all inbound traffic from the Internet to the LAN is blocked Remember that allowing inbound services opens potential security holes in your firewall Enable only those ports that are necessary for your network To create a new inbound LAN WAN service rule 1 In the LAN WAN Rules screen click the Add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays The following figure shows an example Security Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering Add LAN WAN Inbound Service Operation succeeded Service ANY v Action BLOCK always v Select Schedule Schedule 1 Send to Lan Server Single Address Start 7 ae End d 5 4 Translate to Port Number L WAN Destination IP Address WAN1 v Start End LAN Users Start End WAN Users Start End QoS Profile Log Bandwidth Profile Figure 44 2 Enter the settings as explained in Table 19 on page 88 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Firewall Protection 94 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen The default outbound policy is to allow all traffic from and to the Internet to pass through You can the
238. e of the following table buttons e Enable Enables the binding or bindings The status icon changes from a gray circle to a green circle indicating that the selected binding or bindings are enabled By default when a binding is added to the table it is automatically enabled e Disable Disables the binding or bindings The status icon changes from a green circle to a gray circle indicating that the selected binding or bindings are disabled e Delete Deletes the binding or bindings Connecting the VPN Firewall to the Internet 40 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Secondary WAN Addresses You can set up a single WAN Ethernet port to be accessed through multiple IP addresses by adding aliases to the port An alias is a secondary WAN address One advantage is for example that you can assign different virtual IP addresses to a web server and an FTP server even though both servers use the same physical IP address You can add several secondary IP addresses to a single WAN port After you have configured secondary WAN addresses these addresses are displayed on the following firewall rule screens e Inthe WAN Destination IP Address drop down lists of the following inbound firewall rule screens Add LAN WAN Inbound Service screen Add DMZ WAN Inbound Service screen e Inthe NAT IP drop down lists of the following outbound firewall rule screens Add LAN WAN Outbound Service screen Add D
239. ead only access Managing Users Authentication and Certificates 233 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60 Edit User screen settings continued Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password Enter Your Password Enter the old password New Password Enter the new password Confirm New Password Reenter the new password for confirmation Idle Timeout The period after which an idle user is automatically logged out of the web management interface De default idle time out period is 10 minutes 4 Click Apply to save your settings Manage Digital Certificates The VPN firewall uses digital certificates also known as X509 certificates during the Internet Key Exchange IKE authentication phase to authenticate connecting IPSec VPN gateways or clients or to be authenticated by remote entities The same digital certificates are extended for secure web access connections over HTTPS that is SSL connections Digital certificates either can be self signed or can be issued by certification authorities CAs such as an internal Windows server or an external organizations such as Verisign or Thawte However if the digital certificate contains the extkKeyUsage extension the certificate needs to be used for one of the purposes defined by the extension For example if the digital certificate
240. eas otek eed eee me 290 Reboot the VPN Firewall 0046 04 c ererneetterewboeedaeeaes 291 Cane PP ek acti las dh rsa aude anh shaded las esd aie E A 291 Chapter 10 Troubleshooting and Using Online Support Eo FONCION 64S ke hind eee eee Ahad decd Ee eee ded 294 Power LED NO OM sackdeseedcaoe ceeded scene iaeded epee hens 294 Test LED Never Turns Off 0 00 0 00 0 cece eee ee eens 294 LAN or WAN Port LEDS Net ON biccccccacunnc eee anendeedaend 295 Troubleshoot the Web Management Interface 295 When You Enter a URL or IP Address a Time Out Error Occurs 296 Troubleshoot the ISP Connection n a annaa nananana aana 296 Troubleshoot a TCP IP Network Using the Ping Utility 298 Test the LAN Path to Your VPN Firewall 0005 298 Test the Path from Your PC to a Remote Device 299 Restore the Default Configuration and Password 299 Problems with Date and Time 0 cece eee eee 300 Access the Knowledge Base and Documentation 301 Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports What to Consider Before You Begin 0020 cece eee 306 Cabling and Computer Hardware Requirements 307 Computer Network Configuration Requirements 308 Internet Configuration Requirements 0000000 eae 308 Overview of the Plann
241. eck Interval Enter 30 seconds e Max number of entries Enter 3 retries e Delay between entries Leave the default delay setting of 15 seconds 4 Click Apply to use the new settings immediately and click Save to keep the settings for future use The Mode Config configuration of the VPN client is now complete Test the Mode Config Connection gt To test the Mode Config connection from the VPN client to the VPN firewall 1 Right click the system tray icon and click Open tunnel Tunnel_ModeConfig Open tunnel Tunnel_ModeConfig Console Connection Panel Configuration Panel Quit lt j OTC sey 3 01 PM Figure 118 When the tunnel opens successfully the Tunnel opened message displays above the system tray and the VPN client displays a green icon in the system tray Tunnel_ModeConfig Tunnel opened gooooaoaoaoaoaaa AaS E 1 06PM Figure 119 2 Verify that the VPN firewall issued an IP address to the VPN client This IP address displays in the VPN Client address field on the IPSec pane of the VPN client The following figure shows the upper part of the IPSec pane only Virtual Private Networking Using IPSec Connections 190 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Netgear ProSafe VPN Client Professional Configuration Tools NETGEAR PROSAFE Built for Business Soe E VPN Configuration IPSec Advanced Scripts E Global Parameters 3c GW_ModeConfig Addr
242. ect All table button to select all PCs and devices Click the Delete table button Change Group Names in the Network Database By default the groups are named Group1 through Group8 You can rename these group names to be more descriptive such as GlobalMarketing and GlobalSales gt To edit the names of any of the eight available groups 1 Select Network Configuration gt LAN Settings gt LAN Groups The LAN Groups screen displays see Figure 34 on page 68 which shows some examples in the Known PCs and Devices table Click the Edit Group Names option arrow in the upper right of the LAN Groups screen The Network Database Group Names screen displays The following figure shows some examples Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS Network Database Group Names Groupi O Group2 ales grows sd O Management Shipping Grouw7 Groups Figure 36 Select the radio button next to any group name to enable editing Type a new name in the field The maximum number of characters is 15 spaces and double quotes are not allowed Repeat step 3 and step 4 for any other group names Click Apply to save your settings LAN Configuration 71 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN based on the MAC address o
243. ed before being allowed to access the VPN firewall or the VPN protected network The login window that is presented to the user requires three items a user name a password and a domain selection The domain determines the authentication method that is used and for SSL connections the portal layout that is presented Note IPSec VPN users always belong to the default domain geardomain and are not assigned to groups Except in the case of IPSec VPN users when you create a user account you need to specify a group When you create a group you need to specify a domain Configure Domains The domain determines the authentication method to be used for associated users For SSL connections the domain also determines the portal layout that is presented which in turn 219 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 determines the network resources to which the associated users have access The default domain of the VPN firewall is named geardomain You cannot delete the default domain The following table summarizes the authentication protocols and methods that the VPN firewall supports Table 55 Authentication protocols and methods Authentication Description protocol or method PAP Password Authentication Protocol PAP is a simple protocol in which the client sends a password in clear text CHAP Challenge Handshake Authentication Protocol CHAP executes a three way handshake in which the client and server t
244. ed hosts 43 104 extended authentication KAUTH configuring 172 176 F factory default settings reverting to 258 specifications 302 failover attempts DNS lookup or ping 36 failover protection See auto rollover mode failure detection method 34 36 filtering NAT for tunnels 108 firewall attack checks 106 connecting to the Internet 308 custom services 83 112 default settings 303 inbound rules See inbound rules LAN bandwidth profiles 118 121 outbound rules See outbound rules overview 11 QoS LAN profiles 116 118 rules inbound See inbound rules outbound See outbound rules numbers and types supported 82 order of precedence 90 scheduling 121 firmware downloading and upgrading 259 versions 275 FQDNs fully qualified domain names auto rollover mode and load balancing mode 43 multiple WAN ports 134 135 306 313 SSL VPN port forwarding 198 front panel LEDs 15 ports 14 fully qualified domain names See FQDNs G gateway IP address ISP 31 group policies precedence 210 groups for VPN policies 224 349 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IP groups assigning in inbound rules 89 assigning in outbound rules 85 creating 114 LAN groups assigning in inbound rules 89 assigning in outbound rules 85 managing 69 71 guests user account 227 228 GUI 23 H hardware front panel ports 14 rear panel components 16 requirements 307 help button web management interface 24 host names SS
245. ed in Content Filtering on page 123 Apply Keyword Blocking to To apply keyword blocking to groups 1 Select the check boxes for the groups to which you wish to apply keyword blocking or click the Select All button to select all groups 2 Click the Enable button to activate keyword blocking for these groups To deactivate keyword blocking for the selected groups click the Disable button Add Blocked Keyword s To build your list of blocked keywords or blocked domain names 1 Inthe Add Blocked Keyword section enter a keyword or domain name in the Blocked Keyword field 2 After each entry click the Add table button The keyword or domain name is added to the Blocked Keywords table To edit an entry click the Edit table button in the Action column adjacent to the entry Add Trusted Domain s To build your list of trusted domains 1 Inthe Add Trusted Domain section enter a domain name in the Trusted Domains field 2 After each entry click the Add table button The domain name is added to the Trusted Domains table To edit an entry click the Edit table button in the Action column adjacent to the entry 5 Click Apply to save your selection of web components The selected groups for keyword blocking are saved after you have clicked the Enable button keywords and trusted domains are saved after you have added them to their respective tables Enable Source MAC Filtering The Source MAC
246. ed to illustrate this procedure e NETGEAR VPN firewall WAN1 IP address 99 180 226 101 LAN IP address subnet 192 168 1 1 subnet 255 255 255 0 DMZ IP address subnet 192 168 10 1 subnet 255 255 255 0 e Web server PC on the VPN firewall s LAN LAN IP address 192 168 1 2 DMZ IP address 192 168 10 2 Access to web server is simulated public IP address 192 168 55 110 Firewall Protection 102 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN or DMZ One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT The other addresses are available to map to your servers gt To configure the VPN firewall for additional IP addresses 1 Select Security gt Firewall The Firewall submenu tabs display If your server is to be on your LAN select the LAN WAN Rules submenu tab This is the screen we will use in this example If your server is to be on your DMZ select DMZ WAN Rules submenu tab Service screen displays Add LAN WAN Inbound Service Service Action Select Schedule Send to Lan Server Start End WAN Destination IP Address Start End Start WAN Users Start QoS Profile Log Bandwidth Profile Figure 53 Translate to Por
247. eleted All untagged traffic is routed through the default VLAN VLAN1 which needs to be assigned to at least one LAN port Note the following about VLANs and PVIDs e One physical port is assigned to at least one VLAN e One physical port can be assigned to multiple VLANs e When one port is assigned to multiple VLANs the port is used as a trunk port to connect to another switch or router e When a port receives an untagged packet this packet is forwarded to a VLAN based on the PVID e When a port receives a tagged packet this packet is forwarded to a VLAN based on the ID that is extracted from the tagged packet When you create a VLAN profile assign LAN ports to the VLAN and enable the VLAN the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets Untagged packets that enter these LAN ports are assigned to the default PVID 1 packets that leave these LAN ports with the same default PVID 1 are untagged All other packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile The following is a typical scenario for a configuration with an IP phone that has two Ethernet ports one of which is connected to the VPN firewall the other one to another device Packets coming from the IP phone to the VPN firewall LAN port are tagged Packets passing through the IP phone from a connected device to the VPN firewall LAN port are untagged When you assign th
248. embership configuring 61 viewing 281 status viewing 280 VoIP voice over IP sessions 111 VPN client Configuration Wizard using 144 configuring manually 148 Mode Config tunnel opening 190 Mode Config configuring 183 tunnel opening 155 VPN IPSec Wizard See IPSec VPN Wizard VPN tunnels active users 281 auto rollover mode 135 client policy creating 144 client to gateway using IPSec VPN Wizard 141 connection status 157 DPD 193 failover 138 142 169 FQDNs 135 313 gateway to gateway auto rollover 317 load balancing 318 single WAN port mode 317 using IPSec VPN Wizard 136 IKE policies managing 159 165 ModeConfig 179 increasing traffic 247 IPSec VPN policies automatically generated 165 groups configuring 224 managing 159 manually generated 165 keep alives 169 192 load balancing mode 135 logs viewing 283 NetBIOS 169 194 pass through IPSec PPTP L2TP 108 planning 310 pre shared key 138 142 164 Road Warrior auto rollover 315 load balancing 316 single WAN port mode 315 rollover 138 142 169 RSA signature 164 SSL See SSL VPN testing connections 155 tunnel connection status 282 VPN Telecommuter auto rollover 319 load balancing 320 single WAN port mode 319 XAUTH 172 176 VPNC Virtual Private Network Consortium 13 136 W WAN advanced settings 53 auto rollover mode configuring 34 35 DDNS 43 description 32 VPN IPSec 134 bandwidth capacity 242 classical routing mode 33 connection speed and
249. en allowed by the firewall e For other settings see Table 81 on page 322 Recommended Action None DMZ to LAN Logs Table 112 Routing Logs DMZ to WAN Message Nov 29 09 44 06 SRX5308 kernel DMZ2LAN DROP IN DMZ OUT LAN SRC 192 168 20 10 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from DMZ to LAN has been dropped by the firewall e For other settings see Table 81 on page 322 Recommended Action None System Logs and Error Messages 337 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN to DMZ Logs Table 113 Routing Logs WAN to DMZ Message Nov 29 09 19 43 SRX5308 kernel WAN2DMZ ACCEPT IN WAN OUT DMZ SRC 192 168 1 214 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from WAN to DMZ has been allowed by the firewall e For other settings see Table 81 on page 322 Recommended Action None Other Event Logs This section describes the log messages generated by other events such source MAC filtering session limiting and bandwidth limiting For information about how to select these logs see Activate Notification of Events Alerts and Syslogs on page 269 Session Limit Logs Table 114 Other Event Logs Session Limit Logs Message 2000 Jan 1 06 53 33 SRX5308 kernel SESS_LIMIT DROP IN LAN OUT WAN SRC 192 168 11 2 DST 20 0 0 1 PROTO TCP SPT 50709 DPT 21 Explanation When two FTP
250. en traffic is covered by two or more policies the first matching policy is used In this situation the order of the policies is important However if you have only one policy for each remote VPN endpoint then the policy order is not important e The VPN tunnel is created according to the settings in the security association SA e The remote VPN endpoint needs to have a matching SA otherwise it refuses the connection To access the VPN Policies screen Select VPN gt IPSec VPN gt VPN Policies The VPN Policies screen displays The following figure shows some examples SSLYPN Certificates Connection Status LEITE YPN Wizard Mode Config RADIUS Client Operation succeeded Help Name Type Local Remote Auth Encr Action oe GW1 to GW2 Auto Policy 192 168 1 0 255 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES Edit O Client to mainoffice Auto Policy 192 168 1 0 255 255 255 Any SHA 1 3DES Edit Client Policy C Select All Enable Disable Delete Add Figure 106 Virtual Private Networking Using IPSec Connections 166 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table These fields are explained in more detail in Table 40 on page 169 Table 39 VPN Policies screen information Item Description Status Indicates whether the policy is enabled green circle or disabled gray circle To enable
251. entifier PVID 56 portals SSL VPN 196 201 216 218 ports front panel and rear panel 14 16 numbers for port triggering 130 for services 112 for SSL VPN port forwarding 203 speed 53 VLAN membership configuring 61 viewing 281 Power LED 15 294 power receptacle 16 power specifications adapter 303 PPP connections SSL 197 PPPoE and PPTP configuring 27 30 pre shared key 138 142 164 primary RADIUS server 175 primary WAN mode bandwidth capacity 242 description 32 priority LAN QoS profile 118 WAN QoS profile 50 private routes 77 profiles LAN bandwidth 118 LAN QoS 116 WAN QoS 46 ProSafe VPN Client software configuring 143 183 license 11 protection from common attacks 106 protocol binding configuring 36 40 protocols compatibilities 303 RIP 12 service numbers 112 traffic volume by protocol 266 proxy server blocking 123 public web server hosting 101 PVID Port VLAN Identifier 56 Q QoS Quality of Service LAN profiles 116 118 shifting the LAN traffic mix 247 WAN profiles 46 51 queue priority LAN traffic 118 WAN traffic 50 R rack mounting kit 18 RADIUS CHAP and PAP 165 172 174 222 edge device 172 RADIUS MSCHAP v2 222 server and client configuration 174 176 rate control WAN QoS profile 47 rate limiting traffic 54 read only access 227 rebooting remotely 291 reducing traffic features 243 245 regulatory compliance 304 relay gateway DHCP 62 74 Remote Aut
252. enu link orange Figure 7 The web management interface menu consists of the following components e 1st Level main navigation menu links The main navigation menu in the orange bar across the top of the web management interface provides access to all the configuration functions of the VPN firewall and remains constant When you select a main navigation menu link the letters are displayed in white against an orange background e 2nd Level configuration menu links The configuration menu links in the gray bar immediately below the main navigation menu bar change according to the main navigation menu link that you select When you select a configuration menu link the letters are displayed in white against a gray background e 3rd Level submenu tabs Each configuration menu item has one or more submenu tabs that are listed below the gray menu bar When you select a submenu tab the text is displayed in white against a blue background e Option arrows If there are additional screens for the submenu item they are displayed on the right side in blue letters against a white background preceded by a white arrow in a blue circle The bottom of each screen provides action buttons The nature of the screen determines which action buttons are shown The following figure shows an example Figure 8 Any of the following action buttons might be displayed on screen this list might not be complete e Apply Save and apply the configuration
253. er 2 Inthe Upload Trusted Certificates section of the screen click Browse and navigate to the trusted digital certificate file that you downloaded on your computer 3 Click the Upload table button If the verification process on the VPN firewall approves the digital certificate for validity and purpose the digital certificate is added to the Trusted Certificates CA Certificate table gt To delete one or more digital certificates 1 In the Trusted Certificates CA Certificate table select the check box to the left of the digital certificate that you want to delete or click the Select All table button to select all digital certificates 2 Click the Delete table button Managing Users Authentication and Certificates 236 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Self Signed Certificates Instead of obtaining a digital certificate from a CA you can generate and sign your own digital certificate However a self signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server The following figure shows an image of a browser security alert There can be three reasons why a security alert is generated for a security certificate e The security certificate was issued by a company you have not chosen to trust The date of the security certificate is invalid e The name on the security certificate is invalid or does not match the name of the s
254. er B bzrouter1 i dada WAN IP b 0 0 0 0 i 10 5 6 1 bzrouter2 dyndns org Ooa VPN Router WAN2 IP NAT Router atemployers Fully Qualified Domain Names FQDN at felacommuters Remote PC main office optional for Fixed IP addresses homsotfica running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 201 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you need to use an FQDN If an IP address is fixed an FQDN is optional Network Planning for Multiple WAN Ports 321 System Logs and Error Messages This appendix provides examples and explanations of system logs and error message When applicable a recommended action is provided This appendix contains the following sections e System Log Messages e Routing Logs e Other Event Logs e DHCP Logs This appendix uses the following log message terms Table 81 Log message terms Term Description SRX5308 System identifier kernel Message from the kernel CODE Protocol code e g protocol is ICMP type 8 and CODE 0 means successful reply DEST Destination IP address of the machine to which the packet is destined DPT Destination port IN Incoming interface for packet OUT Outgoing interface for packet PROTO Protocol used SELF Packet coming from the system only SPT Source port SRC Source IP address of machine from which the packet is co
255. er the additional allowed volume in MB The default setting is 0 MB Note When you click Apply to save these settings this field is reset to 0 MB so that the increase is applied only once This month limit This is a nonconfigurable field that displays the total monthly traffic volume limit that is applicable to this month This total is the sum of the monthly traffic volume and the increased traffic volume Traffic Counter Restart Traffic Select one of the following radio buttons to specify when the traffic counter restarts Counter e Restart Traffic Counter Now Select this option and click Apply at the bottom of the screen to restart the traffic counter immediately e Restart Traffic Counter at a Specific Time Restart the traffic counter at a specific time and day of the month Fill in the time fields and select AM or PM and the day of the month from the drop down lists Send e mail report An email report is sent immediately before the counter restarts Ensure that emailing before restarting of logs is enabled on the Email and Syslog screen see Activate Notification of counter Events Alerts and Syslogs on page 269 When Limit is reached Block Traffic Select one of the following radio buttons to specify what action the VPN firewall performs when the traffic limit has been reached e Block All Traffic All incoming and outgoing Internet and email traffic is blocked e Block All Traffic Except E Mail All
256. ervation 72 Address Resolution Protocol ARP broadcasting packets 65 requests 67 administrator default name and password 21 receiving logs by email 272 settings admin 248 250 tips for firewall and content filtering 82 user account 227 228 advertisement UPnP information 133 AES Advanced Encryption Standard 163 170 171 179 agent SNMP 255 alerts configuring 269 273 application level gateway ALG 111 ARP Address Resolution Protocol broadcasting packets 65 requests 67 arrow web management interface 23 attached devices monitoring with SNMP 254 viewing 287 attack checks configuring 106 authentication extended 172 176 for IPSec VPN pre shared key 138 142 164 RSA signature 164 See also RADIUS MIAS WiKID NT Domain Active Directory LDAP authentication domain 227 authentication authorization and accounting AAA 174 authorative mode NTP servers 261 auto uplink autosensing Ethernet connections 12 auto detecting WAN settings 26 automatic logout 234 250 auto rollover mode bandwidth capacity 242 configuring 34 35 DDNS 43 description 32 VPN IPSec 134 auto sensing port speed 53 backing up configuration file 257 backup RADIUS server 175 bandwidth allocation WAN rate control 49 bandwidth capacity 242 bandwidth limits logging dropped packets 271 bandwidth profiles configuring for LAN traffic 118 121 shifting traffic mix 248 banners SSL portal 200 base distinguished name DN LDAP 222 bloc
257. ervices DS field which is the same as the ToS byte of an IP header Firewall Protection 117 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23 Add QoS Profile screen settings continued Setting Description Re Mark QoS Value The QoS value in the ToS or Diffserv byte of an IP header The QoS continued value that you enter depends on your selection from the QoS drop down list e For IP Precedence select a value from 0 to 7 e For DSCP select a value from 0 to 63 QoS Priority The QoS priority represents the classification level of the packet among the priority queues within the VPN firewall If you select Default packets are mapped based on the ToS bits in their IP headers From the QoS Priority drop down list select one of the following priority queues Default High e Medium High e Medium Low 4 Click Apply to save your settings The new QoS profile is added to the List of QoS Profiles table gt To edit a QoS profile 1 Inthe List of QoS Profiles table click the Edit table button to the right of the QoS profile that you want to edit The Edit QoS Profile screen displays 2 Modify the settings that you wish to change see the previous table 3 Click Apply to save your changes The modified QoS profile is displayed in the List of QoS Profiles table gt To delete a QoS profile 1 In the List of QoS Profiles table select the check box to the left of
258. es 3 Click Apply to save your settings Note Enabling logs might generate a significant volume of log messages NETGEAR recommends that you enable firewall logs for debugging purposes only gt To view the routing logs system logs and other event logs onscreen 1 2 Select Monitoring gt Firewall Logs amp E mail The Firewall Logs amp E mail screen displays Click the View Log option arrow in the upper right of the Firewall Logs amp E mai screen The View Log screen displays Monitoring System Access and Performance 273 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring View Logs ii View Logs 2011 Jul 20 19 52 32 SRX5308 wand IPSEC IPSEC Restarted Last output repeated twice 2011 Jul 20 19 52 03 SRX5308 wand Ew Firewall Restarted 2011 Jul 20 19 51 21 SRX5308 wand IPSEC IPSEC Restarted 2011 Jul 20 19 50 58 SRX5308 wand FW Firewall Restarted 2011 Jul 20 19 50 48 SRX5308 wand IPSEC IPSEC Restarted 2011 Jul 20 19 50 25 SRX5308 wand Fy Firewall Restarted 2011 Jul 20 19 42 00 SRX5308 wand IPSEC IPSEC Restarted 2011 Jul 20 19 41 38 SRX5308 wand EW Firewall Restarted 2011 Jul 20 19 40 56 SRX5308 wand IPSEC IPSEC Restarted 2011 Jul 20 19 40 33 SRX5308 wand FW Firewall Restarted IPSEC IPSEC Restarted IPSEC IPSEC Restarted 2011 Jul 20 19 16 42 SRX5308 wand EW Firewall Restarted Last output repeated 29 times
259. es such a DSL broadband accounts and locate the Internet Service Provider ISP configuration information e inthis manual the WAN side of the network is presumed to be provisioned as shown in the following figure with two ISPs connected to the VPN firewall through separate physical facilities e Each WAN port needs to be configured separately whether you are using a separate ISP for each WAN port or you are using the same ISP to route the traffic of both WAN ports Customer premises Route diversity WAN port 1 Physical facility 1 i y x ISP 1 VPN os Internet Firewall WAN port 2 Physical facility 2 ISP 2 Figure 182 e If your ISP charges by the volume of data traffic each month consider enabling the VPN firewall s traffic meter to monitor or limit your traffic Contact a Dynamic DNS service and register FQDNs for one or both WAN ports 3 Plan your network management approach The VPN firewall is capable of being managed remotely but this feature needs to be enabled locally after each factory default reset NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management You can choose a variety of WAN options if the factory default settings are not suitable for your installation These options include enabling a WAN port to respond to a ping and setting MTU size port speed and upload bandwidth 4 Pre
260. es with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker might also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s network location anonymous Disable Ping Reply on LAN Ports Select the Disable Ping Reply on LAN Ports check box to prevent the VPN firewall from responding to a ping on a LAN port A ping can be used as a diagnostic tool Keep this check box cleared unless you have a specific reason to prevent the VPN firewall from responding to a ping on a LAN port VPN Pass through IPSec PPTP L2TP When the VPN firewall functions in NAT mode all packets going to the remote VPN gateway are first filtered through NAT and then encrypted per the VPN policy For example if a VPN client or gateway on the LAN side of the VPN firewall wants to connect to another VPN endpoint on the WAN side placing the VPN firewall between two VPN endpoints encrypted packets are sent to the VPN firewall Because the VPN firewall filters the encrypted packets through NAT the packets become invalid unless you enable the VPN Pass through feature To enable the VPN tunnel to pass the VPN traffic without any filtering select any or all of the following check boxes e IPSec Disables NAT filtering for IPSec tunnels PPTP Disab
261. esses Tunnel_ModeConfig VPN Client address i Figure 120 3 From the client PC ping a computer on the VPN firewall LAN Modify or Delete a Mode Config Record gt To edit a Mode Config record 1 On the Mode Config screen see Figure 109 on page 177 click the Edit table button in the Action column for the record that you want to modify The Edit Mode Config Record screen displays This screen is identical to the Add Mode Config Record screen see Figure 110 on page 178 2 Modify the settings as explained in Table 43 on page 178 3 Click Apply to save your settings gt To delete one or more Mode Config records 1 On the Mode Config screen see Figure 109 on page 177 select the check box to the left of the record that you want to delete or click the Select All table button to select all records 2 Click the Delete table button Configure Keep alives and Dead Peer Detection In some cases you might not want a VPN tunnel to be disconnected when traffic is idle for example when client server applications over the tunnel cannot tolerate the tunnel establishment time If you require a VPN tunnel to remain connected you can use the keep alive and Dead Peer Detection DPD features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason For DPD to function the peer VPN device on the other end of the tunnel should also support DPD Keep alive though le
262. eters MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used for MD5 authentication Not Valid Before The beginning of the lifetime of the MD5 key Enter the month date year hour minute and second Before this date and time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid Second Key Parameters MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used for MD5 authentication LAN Configuration 79 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16 RIP Configuration screen settings continued Setting Description Authentication for Not Valid Before The beginning of the lifetime of the MD5 key Enter the month RIP 2B 2M required date year hour minute and second Before this date and continued time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid 4 Click Apply to save your settings Static Route Example In this example we assume the following e The VPN firewall s primary Internet access is through a cable modem to an ISP e The VPN f
263. ettings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout This name is part of the path of the SSL VPN portal URL Note Custom portals are accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at https vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https vpn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If you enter other types of characters or spaces the layout name is truncated before the first nonalpohanumeric character Note Unlike most other URLs this name is case sensitive Portal Site Title The title that appears at the top of the user s web browser window for example Company Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal for example Welcome to Customer Support Note For an example see Figure 132 on page 217 The banner title text is displayed in the orange header bar Virtual Private Networking Using SSL Connections 200 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 50 Add Portal Layout screen settings continued Setting Description Banner Message The text of a banner message that users see before the
264. ettings determine the priority and in turn the quality of service for the traffic passing through the VPN firewall After you have created a QoS profile you can assign the Network and System Management 247 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 QoS profile to firewall rules The QoS is set individually for each service You can change the mix of traffic through the WAN ports by granting some services a higher priority than others e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have For more information about QoS profiles see Create Quality of Service QoS Profiles on page 116 Assigning Bandwidth Profiles When you apply a QoS profile the WAN bandwidth does not change You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN links For more information about bandwidth profiles see Create Bandwidth Profiles on page 118 Monitoring Tools for Traffic Management The VPN firewall includes several tools that can be used to monitor the traffic conditions of the fire
265. ettings screen Message 7 The secondary DNS server that is configured on the WAN ISP Settings screen Message 7 Sensing idle link Message 8 Idle link sensed Message 9 Data sent and received at the LAN side while the link was up Message 10 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side System Logs and Error Messages 329 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e PPP Authentication Logs Table 95 System logs WAN status PPP authentication Message Nov 29 11 29 26 SRX5308 pppd Starting link Nov 29 11 29 29 SRX5308 pppd Remote message Login incorrect Nov 29 11 29 29 SRX5308 pppd PAP authentication failed Nov 29 11 29 29 SRX5308 pppd Connection terminated WAN2 DOWN _ Explanation Starting link Starting PPPoE connection process Remote message Login incorrect Message from PPPoE server for incorrect login PAP authentication failed PPP authentication failed due to incorrect login Connection terminated PPP connection terminated Recommended Action If authentication fails then check the login password and enter the correct one Resolved DNS Names This section describes the logs of DNS names resolution messages Table 96 System logs DNS names resolution messages Message 2000 Jan 1 05 12 00 SRX5308 dnsmasq DNSRESOLV teamf1 com from 192
266. ew policy is limited to a single group From the drop down list select a group name e User The new policy is limited to a single user From the drop down list select a user name Note For information about how to create groups see Configure Groups for VPN Policies on page 224 For information about how to create user accounts see Configure User Accounts on page 227 Virtual Private Networking Using SSL Connections 213 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54 Add SSL VPN Policy screen settings continued Setting Description Add SSL VPN Policies Apply Policy For Select one of the following radio buttons to specify how the policy is applied e Network Resource The policy is applied to a network resource that you have defined on the Resources screen see Use Network Resource Objects to Simplify Policies on page 208 The screen adjusts to display the fields that are shown in the Network Resource rows e IP Address The policy is applied to a single IP address The screen adjusts to display the fields that are shown in the IP Address rows of this table e IP Network The policy is applied to a network address The screen adjusts to display the fields that are shown in the IP Network rows of this table All Addresses The policy is applied to all addresses The screen adjusts to display the fields that are shown in the All Addresses rows of this table Network
267. f Certificate Request section and Self Certificate Requests section The Self Certificate Requests table contains one example Managing Users Authentication and Certificates 237 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Active Self Certificates Name Subject Name Serial Number Issuer Name Expiry Time SelectAll Delete i Generate Self Certificate Request 3 a Name Subject Hash Algorithm Signature Algorithm Signature Key Length IP Address Optional Domain Name Optional E mail Address Optional Self Certificate Requests Name Status o SampleCertificateSRX Active Self Certificate Not Uploaded select all Delete Certificate File Browse R Upload Upload certificate corresponding to a request above Figure 148 Certificates screen 2 of 3 In the Generate Self Certificate Request section of the screen enter the settings as explained in the following table Table 61 Generate self certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes Subject The name that other organizations see as the holder owner of the certificate In general use your registered business name or official company name for this purpose Note Generally all of your certificates should have the same value in the Subject field Hash Algorithm
268. f the device that PC or device always receives the same IP address each time it accesses the VPN firewall s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings The reserved IP address that you select need to be outside of the DHCP server pool To reserve an IP address select Reserved DHCP Client from the IP Address Type drop down list on the LAN Groups screen as described in Add PCs or Devices to the Network Database on page 69 or on the Edit Groups and Hosts screen as described in Edit PCs or Devices in the Network Database on page 70 Note The reserved address is not assigned until the next time the PC or device contacts the VPN firewall s DHCP server Reboot the PC or device or access its IP configuration and force a DHCP release and renew Configure and Enable the DMZ Port The demilitarized zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers Such as a web server FTP server or email server and provide public access to them The fourth LAN port on the VPN firewall the rightmost LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic th
269. f you have installed login software then your connection type is PPPoE Select this radio button and enter the following settings Account Name The valid account name for the PPPoE connection Domain Name The name of your ISP s domain or your domain name if your ISP has assigned one You can leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Connection Reset Select the Connection Reset check box to specify a time when the PPPoE WAN connection is reset that is the connection is disconnected momentarily and then reestablished Then enter the following settings Disconnect Specify the hour and minutes when the connection Time should be disconnected Delay Specify the period in seconds after which the connection should be reestablished In the Internet IP Address section of the screen configure the IP address settings as explained in the following table Click the Current IP Address link to see the currently assigned IP address Subnet Mask Current IP Address Help Get Dynamically from ISP Client Identifier Vendor Class Identifier Use Static
270. fault all services are assigned the medium priority queue in which they share 30 percent of the interface bandwidth Both types of profiles let you allocate the Differentiated Services DiffServ QoS packet matching and QoS packet marking settings which you configure by specifying Differentiated Services Code Point DSCP values from 0 to 63 Note Before you enable WAN QoS make sure that the WAN connection type and speeds are configured correctly in the Upload Download Settings section of the WAN Advanced screen for the WAN interface see Configure Advanced WAN Options on page 51 gt To enable and configure QoS for WAN interfaces 1 Select Network Configuration gt QoS The QoS screen displays The following screen shows some profiles in the List of QoS Profiles table Connecting the VPN Firewall to the Internet 46 gt ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration WAN Settings Protocol Binding Dynamic DNS LAN Settings DMZ Setup Routing Yes O No Priority Do you want to enable QoS QoS Type Rate Control Help QoS Type Interface Name Service Direction Rate Action C _ Rate Control WAN2 HTTP Inbound 7500 15000 Group3 edit ole Priority WANL PCAnywhere UDP Inbound Low 10 edit SelectAll Delete add Figure 25 To enable QoS select the Yes radio button By default the No radio button is selected Specify the profile type that sho
271. firm Password The password in this field needs to be identical to the one in the Password field Idle Timeout The period after which an idle user is automatically logged out of the web management interface The default idle time out period is 10 minutes 4 Click Apply to s ave your settings The user is added to the List of Users table Managing Users Authentication and Certificates 228 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To delete one or more user accounts 1 In the List of Users table select the check box to the left of the user account that you want to delete or click the Select All table button to select all accounts You cannot delete a default user account Click the Delete table button Note You cannot delete the default admin or guest user Set User Login Policies You can restrict the ability of defined users to log in to the VPN firewall s web management interface You can also require or prohibit logging in from certain IP addresses or from particular browsers Configure Login Policies gt To configure user login policies 1 2 Select Users gt Users The Users screen displays see Figure 140 on page 227 In the Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs display with the Login Policies screen in view ees by Source IP Address by Client Br
272. from all addresses in the MAC Addresses table is blocked Permit Traffic coming from all addresses in the MAC Addresses table is permitted 4 Below Add Source MAC Address build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field A MAC address needs to be entered in the format xx xx xx xx xx xx in which x is a numeric 0 to 9 or a letter between a and f inclusive for example aa 11 bb 22 cc 03 5 Click the Add table button The MAC address is added to the MAC Addresses table 6 Click Apply to save your settings Firewall Protection 127 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To remove one or more entries from the table 1 Select the check box to the left of the MAC address that you want to delete or click the Select All table button to select all entries 2 Click the Delete table button Set Up IP MAC Bindings IP MAC binding allows you to bind an IP address to a MAC address and vice versa Some PCs or devices are configured with static addresses To prevent users from changing their static IP addresses the IP MAC binding feature needs to be enabled on the VPN firewall If the VPN firewall detects packets with a matching IP address but with the inconsistent MAC address or vice versa the packets are dropped If you have enabled the logging option for the IP MAC binding feature these packets are logged before they are dropped The VPN
273. gainst the Inbound rules in the DMZ WAN Rules page Filter Log Action Figure 45 gt To make changes to an existing outbound or inbound service rule In the Action column to the right of the rule click one of the following table buttons e Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit DMZ WAN Outbound Service screen identical to Figure 46 on page 96 or the Edit DMZ WAN Inbound Service screen identical to Figure 47 on page 97 displays containing the data for the selected rule e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank Firewall Protection 95 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To delete or disable one or more rules 1 Select the check box to the left of the rule that you want to delete or disable or click the Select All table button to select all rules 2 Click one of the following table buttons e Disable Disables the rule or rules The status icon changes from a green circle to a gray circle indicating that the selected rule or rules are disabled By default when a rule is added to the table it is automatically enabled e Delete Deletes the selected rule or rules DMZ WAN Outbound Services Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom
274. gin policies e Deny login access from a WAN interface By default the administrator can log in froma WAN interface e Deny or allow login access from specific IP addresses By default the administrator can log in from any IP address Note For enhanced security restrict access to as few external IP addresses as practical Deny or allow login access from specific browsers By default the administrator can log in from any browser In general these policy settings work well for an administrator However if you need to change any of these policy settings see Set User Login Policies on page 229 Configure Remote Management Access An administrator can configure upgrade and check the status of the VPN firewall over the Internet through either a Secure Sockets Layer SSL VPN or a Telnet connection but need to be logged in locally to enable remote management Note When remote management is enabled and administrative access through a WAN interface is granted see Configure Login Policies on page 229 the VPN firewall s web management interface is accessible to anyone who knows its IP address and default password Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways NETGEAR highly recommends that you change the admin and guest default passwords before continuing see Change Passwords and Administrator Settings on page 248 Network and System Management 250 ProSafe Gigabit Quad WAN S
275. granular access to corporate resources based on user type or group membership Supports 50 concurrent SSL VPN sessions A Powerful True Firewall with Content Filtering Unlike simple NAT routers the VPN firewall is a true firewall using stateful packet inspection SPI to defend against hacker attacks Its firewall features have the following capabilities e DoS protection Automatically detects and thwarts denial of service DoS attacks such as Ping of Death and SYN flood e Secure firewall Blocks unwanted traffic from the Internet to your LAN e Content filtering Prevents objectionable content from reaching your PCs You can control access to Internet content by screening for web services web addresses and keywords within web addresses You can configure the VPN firewall to log and report attempts to access objectionable Internet sites e Schedule policies Permits scheduling of firewall policies by day and time e Logs security incidents Logs security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the VPN firewall to email the log to you at specified intervals You can also configure the VPN firewall to send immediate alert messages to your email address or email pager when a significant event occurs Introduction 11 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Features The VPN firewall is equipped with several features designed to maintain se
276. gs 302 congestion priority WAN QoS profile 49 connection WAN speed and type 54 console port 16 content filtering about 11 blocking Internet sites and Java applets 123 configuring 124 126 cookies blocking 123 counter LAN traffic 266 WAN traffic 263 critical messages syslog 273 CRL Certificate Revocation List 235 241 crossover cable 12 295 CSR certificate signing request 237 custom services firewall 83 112 D Data Encryption Standard DES 163 170 171 179 database local users 222 date settings 261 troubleshooting 300 daylight savings time 261 DDNS dynamic DNS configuring 42 45 Dead Peer Detection DPD 164 193 debug messages syslog 273 defaults factory 17 258 299 302 IPSec VPN Wizard 137 login time out 22 MTU 53 password 21 299 PVID 56 restoring 299 user name 21 VLAN 58 VPN firewall IP address 61 subnet mask 61 demilitarized zone See DMZ denial of service DoS attacks 11 87 107 108 DES Data Encryption Standard 163 170 171 179 DH Diffie Hellman group 164 172 179 DHCP Dynamic Host Configuration Protocol automatic configuration of devices 12 DNS servers IP addresses 62 74 domain name 62 74 LDAP server 63 75 lease renewing or releasing 286 time 62 74 log messages explanation 339 logs viewing 288 relay 58 62 74 server 58 61 74 settings 61 74 VLANs 58 WINS server 62 74 diagnostics 289 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Differen
277. h group s traffic is contained largely within the VLAN reducing extraneous traffic and improving the efficiency of the whole network 55 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e They are easy to manage The addition of nodes as well as moves and other changes can be dealt with quickly and conveniently from a management interface rather than from the wiring closet e They provide increased performance VLANs free up bandwidth by limiting node to node and broadcast traffic throughout the network e They ensure enhanced network security VLANs create virtual boundaries that can be crossed only through a router So standard router based security measures can be used to restrict access to each VLAN Port Based VLANs The VPN firewall supports port based VLANs Port based VLANs help to confine broadcast traffic to the LAN ports Even though a LAN port can be a member of more than one VLAN the port can have only one VLAN ID as its port VLAN identifier PVID By default all four LAN ports of the VPN firewall are assigned to the default VLAN or VLAN 1 Therefore by default all four LAN ports have the default PVID 1 However you can assign another PVID to a LAN port by selecting a VLAN profile from the drop down list on the LAN Setup screen After you have created a VLAN profile and assigned one or more ports to the profile you first need to enable the profile to activate it The VPN firewall s default VLAN cannot be d
278. hange periodically as the DHCP lease expires Consider using Dyamic DNS so that external users can always find your network see Configure Dynamic DNS on page 42 e Ifthe IP address of the local server PC is assigned by DHCP it might change when the PC is rebooted To avoid this use the Reserved DHCP Client feature in the LAN Groups Firewall Protection 86 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 screen to keep the PC s IP address constant see Set Up Address Reservation on page 72 e Local PCs need to access the local server using the PCs local LAN address Attempts by local PCs to access the server using the external WAN IP address will fail Note See Configure Port Triggering on page 130 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall Note The VPN firewall always blocks denial of service DoS attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you cannot use it that is the service becomes unavailable Note When the Block TCP Flood and Block UDP Flood check boxes are selected on the Attack Checks screen see Attack Checks on page 106 multiple concurrent connections of the same application from one host or IP address such as multiple DNS queries from one PC trigger the VPN firewall s DoS protection The following table describes the fields that define the rules for inboun
279. hase e Virtual IP address of the VPN client e DNS server address optional e WINS server address optional The virtual IP address that is issued by the VPN firewall is displayed in the VPN Client Address field on the VPN client s IPSec pane Virtual Private Networking Using IPSec Connections 183 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed To configure the VPN client for Mode Config operation create authentication settings phase 1 settings create an associated IPSec configuration phase 2 settings and then specify the global parameters Configure the Mode Config Authentication Settings Phase 1 Settings gt To create new authentication settings 1 Right click the VPN client icon in your Windows system tray and select Configuration Panel The Configuration Panel screen displays R Netgear ProSafe VPN Client Professional DER NETGEAR PROSAFE Built for Business VPN Configuration E Global Parameters YPN Configuration Written by VpnConf 3 00 Last modification 06 22 2011 Figure 112 2 In the tree list pane of the Configuration Panel screen right click VPN Configuration and select New Phase 1 Virtual Private Networking Using IPSec Connections 184 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 El VPN Export Configuration Move to USB Save Ctrl S Wizard Reload Test
280. hat the backup WAN interface has already been configured Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto rollover When the VPN firewall is configured in auto rollover mode it uses the selected WAN failure detection method to detect the status of the primary link connection at regular intervals Link failure is detected in one of the following ways e By sending DNS queries to a DNS server e By sending a ping request to an IP address e None no failure detection is performed From the primary WAN interface DNS queries or ping requests are sent to the specified IP address If replies are not received after a specified number of retries the primary WAN interface is considered down and a rollover to the backup WAN interface occurs When the the primary WAN interface comes back up another rollover occurs from the backup WAN interface back to the primary WAN interface The WAN failure detection method that you select applies only to the primary WAN interface that is it monitors the primary link only Configure Auto Rollover Mode gt To configure auto rollover mode 1 Select Network Configuration gt WAN Settings gt WAN Mode The WAN Mode screen displays Network Configuration Protocol Binding Dynamic DNS LAN Settings DM Setup Routing QoS WAN E LDECO TS Use NAT or Classical Routing between WAN amp LAN interfa
281. hat you have bought a new network device and ask them to use the VPN firewall s MAC address Configure your VPN firewall to spoof your PC s MAC address You can do this in the Router s MAC Address section of the WAN Advanced Options screen for the WAN interface that you are troubleshooting see Configure Advanced WAN Options on page 51 If your VPN firewall can obtain an IP address but an attached PC is unable to load any web pages from the Internet e Your PC might not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP provides the addresses of one or two DNS servers for your use You can configure your PC manually with DNS addresses as explained in your operating system documentation e Your PC might not have the VPN firewall configured as its TCP IP gateway Troubleshooting and Using Online Support 297 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply You can easily troubleshoot a TCP IP network by using the ping utility in your PC or workstation Test the LAN Path to Your VPN Firewall You can ping the VPN firewall from your PC to verify that the LAN path to the VPN firewall
282. hat you want to delete or click the Select All table button to select all self signed certificates 2 Click the Delete table button Managing Users Authentication and Certificates 240 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Certificate Revocation List A Certificate Revocation List CRL file shows digital certificates that have been revoked and are no longer valid Each CA issues its own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly gt To view the currently loaded CRLs and upload a new CRL 1 Select VPN gt Certificates The Certificates screen displays The following figure shows the bottom section of the screen with the Certificate Revocation Lists CRL table There is one example in the table help CA Identity Subject Name Last Update Next Update o DC net DC ES O ESnet OU Certificate Authorities CN ESnet Root Nov 19 18 50 37 2009 Nov 19 18 50 37 2010 GMT 7 Select All Delete Upload CRL CAL CRL File amp Upload Figure 150 Certificates screen 3 of 3 The Certificate Revocation Lists CRL table lists the active CAs and their critical release dates e CA Identify Subject Name The official name of the CA that issued the CRL e Last Update The date when the CRL was released e Next Update The date when the next CRL will be released 2 In the Upload CRL section click Browse and navigate to t
283. he CLR file that you previously downloaded from a CA 3 Click the Upload table button If the verification process on the VPN firewall approves the CRL the CRL is added to the Certificate Revocation Lists CRL table Note If the table already contains a CRL from the same CA the old CRL is deleted when you upload the new CRL gt To delete one or more CRLs 1 In the Certificate Revocation Lists CRL table select the check box to the left of the CRL that you want to delete or click the Select All table button to select all CRLs 2 Click the Delete table button Managing Users Authentication and Certificates 241 Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall This chapter contains the following sections e Performance Management e System Management Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The VPN firewall has the necessary features and tools to help the network manager accomplish these goals Bandwidth Capacity The maximum bandwidth capacity of the VPN firewall in each direction is as follows e LAN side
284. he Routing Table e Reboot the VPN Firewall e Capture Packets Note For normal operation diagnostics are not required gt To view the Diagnostics screen Select Monitoring gt Diagnostics The Diagnostics screen displays Monitoring Router Status Active Users Traffic Meter Firewall Logs amp E mail VPN Logs Diagnostics Ping through VPN tunnel C Select Local Gateway WAN1 Select VPN Tunnel Auto IP Address a bad Ping Trace Route Internet Name C E 2 Lookup Display the Routing Table HM Display Reboot the Router o Reboot Capture Packets g Packet Trace Send a Ping Packet or Trace a Route Figure 178 Use the ping utility to perform one of the following diagnostic actions e Send a ping packet request to check the connection between the VPN firewall and a specific IP address The ping results are displayed on the Ping screen Click Back on the browser menu bar to return to the Diagnostics screen Monitoring System Access and Performance 289 gt ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Send a ping packet request to trace the route and to show the various hops between the VPN firewall and a specific IP address The trace route results are displayed on the Trace Route screen Select Monitoring gt Diagnostics to return to the Diagnostics screen If the request times out no reply is received it usually means that the destination is unreachable However some networ
285. he following figure shows settings for a priority QoS profile Network Configuration WAN Settings Add Qos Figure 27 Protocol Binding Dynamic DNS LAN Settings DMZ Setup Routing Operation succeeded QoS Type Interface Direction os Diffserv QoS Match Service Hosts Single IP Address Priority Start 1P ii ie End IP Select Group Groupi Bandwidth Allocation Shared Min Bandwidth 0 Max Bandwidth 100 Diffserv QoS Remark 3 Enter the settings as explained in the following table Table 10 Add QoS screen settings for a priority profile Setting Description QoS Type Priority for Rate Control see Figure 26 on page 48 and Table 9 on page 48 Interface From the drop down list select one of the WAN interfaces Service From the drop down list select a service or application to be covered by this profile If the service or application does not appear in the list you need to define it using the Services screen see Services Based Rules on page 83 Direction From the drop down list select the direction to which the priority queue is applied Outbound Traffic The priority queue is applied to outbound traffic only Inbound Traffic The priority queue is applied to inbound traffic only Diffserv QoS Match Enter a DSCP value in the range of 0 through 63 Packets are classified against this value Leave this field blank to disable packet matching Con
286. heck box Select NTP Mode In all three NTP modes the VPN firewall functions both as a client and a server The VPN firewall synchronizes its clock with the specified NTP server or servers and provides time service to clients From the drop down list select the NTP mode e Authorative Mode The VPN firewall synchronizes its clock with the specified NTP server or servers on the Internet If external servers are unreachable the VPN firewall s RTC provides time service to clients In authorative mode you can enter a stratum value and set the date and time manually Sync to NTP Servers on Internet The VPN firewall synchronizes its clock with the specified NTP server or servers on the Internet If external servers are unreachable the VPN firewall does not use it s RTC e Sync to NTP Servers on VPN The VPN firewall synchronizes its clock with the specified NTP server on the VPN If the server is unreachable the VPN firewall does not use it s RTC You need to select a VPN policy that enables the VPN firewall to contact the NTP server on the VPN Select Stratum In authorative mode enter a stratum value which indicates the distance from a reference clock The default value is 10 which specifies an unsynchronized local clock and causes NTP to use the VPN firewall s RTC when the specified NTP server is not available Set date and time This is an optional setting that is available in authorative manually mode Select the
287. hed PCs The VPN firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program Quality of Service QoS The VPN firewall supports QoS including traffic prioritization and traffic classification with Type of Service ToS and Differentiated Services Code Point DSCP marking Easy Installation and Management You can install configure and operate the VPN firewall within minutes after connecting it to the network The following features simplify installation and management tasks Browser based management Browser based configuration allows you to easily configure the VPN firewall from almost any type of operating system such as Windows Macintosh or Linux Online help documentation is built into the browser based web management interface Auto detection of ISP The VPN firewall automatically senses the type of Internet connection asking you only for the information required for your type of ISP account IPSec VPN Wizard The VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure that the IPSec VPN tunnels are interoperable with other VPNC compliant VPN
288. hem with the PC 3 The remote system receives the PC s request and responds using the incoming port or ports that are associated with the rule in the port triggering table on the VPN firewall 4 The VPN firewall matches the response to the previous request and forwards the response to the PC Without port triggering the response from the external application would be treated as a new connection request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked Note these restrictions on port triggering e Only one PC can use a port triggering application at any time e After a PC has finished using a port triggering application there is a short time out period before the application can be used by another PC This time out period is required so the VPN firewall can determine that the application has terminated Note For additional ways of allowing inbound traffic see Inbound Rules Port Forwarding on page 86 Firewall Protection 130 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To add a port triggering rule 1 Select Security gt Port Triggering The Port Triggering screen displays See the following figure which shows one rule in the Port Triggering Rule table as an example Security Services Schedule Firewall Address Filter Bandwidth Profile Content Filtering Port Triggering sta
289. hentication Dial In User Service See RADIUS remote management configuring 250 253 remote users automatically assigning addresses 176 353 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 requirements hardware 307 reserved IP addresses 72 reset button 16 restarting the traffic meter or counter LAN traffic 268 WAN traffic 265 restoring the configuration file 258 retry interval DNS lookup or ping 36 reverting to factory defaults 258 RFC 1349 116 RFC 1700 112 RFC 2865 174 RIP Routing Information Protocol configuring 78 80 Road Warrior client to gateway 314 round robin load balancing 37 routes active and private 77 tracing 290 Routing Information Protocol RIP configuring 78 80 routing log messages explanation 336 routing table displaying 290 RSA signatures 164 rules See inbound rules outbound rules S SA security association IKE policies 163 IPSec VPN Wizard 136 ModeConfig 179 VPN connection status 158 283 VPN policies 171 scheduling firewall rules 121 search base LDAP 63 75 secondary RADIUS server 175 Secure Hash Algorithm 1 See SHA 1 Secure Sockets Layer See SSL VPN security alert 237 security association See SA security features overview 12 security lock 16 Security Parameters Index SPI 170 self signed certificates 235 237 service blocking reducing traffic 243 rules 83 service numbers common protocols 112 services customizing 83 112 Session
290. ic or permanent 27 31 subnet mask default 61 DMZ port 73 WAN aliases 41 IP groups assigning in inbound rules 89 assigning in outbound rules 85 creating 114 IP precedence QoS 117 IP security See IPSec hosts XAUTH IPSec VPN Wizard IPSec VPN IP MAC binding 128 IPSec hosts KAUTH 172 173 IPSec VPN overview 11 specifications 304 user account 227 228 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 See also VPN tunnels IPSec VPN logs 158 IPSec VPN Wizard client to gateway tunnels setting up 141 default settings 137 description 13 gateway to gateway tunnels setting up 136 ISAKMP identifier 163 ISP connection troubleshooting 296 gateway IP address 31 login 29 J Java applets blocking 123 K keep alives VPN tunnels 169 192 keywords blocking 126 kit rack mounting 18 knowledge base 301 L LAN bandwidth capacity 242 default port MAC addresses 279 default settings 302 Known PCs and Devices table 69 287 network database 67 71 287 secondary IP addresses 65 security checks 108 testing the LAN path 298 LAN groups assigning in inbound rules 89 assigning in outbound rules 85 managing 69 71 LAN inbound rules LAN DMZ 100 LAN WAN 94 LAN LEDs 15 295 LAN outbound rules LAN DMZ 99 LAN WAN 93 LAN ports explanation 14 status viewing 277 LAN profiles QoS 116 118 LAN traffic meter or counter 266 LDAP base distinguished name DN 222 domains 220 222 search base search objects 63 75
291. ication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting e MD5 Hash algorithm that produces a 128 bit digest Local IP Address The local IP address to which remote VPN clients have access If you do not specify a local IP address the VPN firewall s default LAN IP address is used by default 192 168 1 1 Local Subnet Mask The local subnet mask Typically this is 255 255 255 0 4 Click Apply to save your settings The new Mode Config record is added to the List of Mode Config Records table Continue the Mode Config configuration procedure by configuring an IKE policy 5 Select VPN gt IPSec VPN The IPSec VPN submenu tabs display with the IKE Policies screen in view see Figure 104 on page 160 6 Under the List of IKE Policies table click the Add table button The Add IKE Policy screen displays Virtual Private Networking Using IPSec Connections 179 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 i VPN i l i 3 IPSec VPN z tific sti lt z Add IKE Policy ep Add New VPN Policy Operation succeeded Do you want to use Mode Config Record Policy Name Direction Type O No Exchange Mode g Record view Selected faneme Select Local Gateway Identifier Type Identifier Type Identifier Identifier Encryption Algorithm Authentication Algorithm Authentication Method Pre shared
292. ick the Add table button to add the PC or device to the Known PCs and Devices table As an optional step To enable DHCP address reservation for the entry that you just added to the Known PCs and Devices table select the check box for the table entry and click Save Binding to bind the IP address to the MAC address for DHCP assignment Edit PCs or Devices in the Network Database gt To edit PCs or devices manually in the network database 1 In the Known PCs and Devices table of the LAN Groups screen see Figure 34 on page 68 click the Edit table button of a table entry The Edit Groups and Hosts screen displays Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS Edit Groups and Hosts Operation succeeded Name Sales IP Address Type Reserved DHCP Client v IP Address 192 174 eo_ 7e MAC Address at c1 33 44 2a 2b Group Profile Name Figure 35 In the Edit Known PC and Device section modify the settings as explained in Table 13 on page 69 Click Apply to save your settings in the Known PCs and Devices table LAN Configuration 70 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Deleting PCs or Devices from the Network Database gt To delete one or more PCs or devices from the network database 1 On the LAN Groups screen see Figure 34 on page 68 select the check box to the left of the PC or device that you want to delete or click the Sel
293. icy and an IKE policy are stored in separate policy tables The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy You can edit existing policies or manually add new VPN and IKE policies directly in the policy tables Configure IKE Policies The Internet Key Exchange IKE protocol performs negotiations between the two VPN gateways and provides automatic management of the keys that are used for IPSec connections It is important to remember that e An automatically generated VPN policy Auto Policy needs to use the IKE negotiation protocol e Amanually generated VPN policy Manual Policy cannot use the IKE negotiation protocol IKE policies are activated when the following situations occur 1 The VPN policy selector determines that some traffic matches an existing VPN policy e Ifthe VPN policy is of an Auto Policy type the IKE policy that is specified in the Auto Policy Parameters section of the Add VPN Policy screen see Figure 107 on page 168 is used to start negotiations with the remote VPN gateway e If the VPN policy is of a Manual Policy type the settings that are specified in the Manual Policy Parameters section of the Add VPN Policy screen see Figure 107 on page 168 are accessed and the first matching IKE policy is used to start negotiations with the remote VPN gateway If negotiations fail the next matching IKE policy is used If none
294. ide e Resource CD including Application Notes and other helpful information ProSafe VPN Client software VPNO1L If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair Hardware Features The front panel ports and LEDs rear panel ports and bottom label of the VPN firewall are described in the following sections Front Panel Viewed from left to right the VPN firewall front panel contains the following ports see the following figure e LAN Ethernet ports four switched N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors e WAN Ethernet ports four independent N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors The front panel also contains three groups of status indicator light emitting diodes LEDs including Power and Test LEDs LAN LEDs and WAN LEDs all of which are explained in the following table Introduction 14 Test LED Figure 1 Power LED ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Right LAN LEDs Table 1 LED descriptions Left LAN LEDs DMZ LED Left WAN LEDs Internet LEDs Right WAN LEDs LED Activity Description Power On green Power is supplied to the VPN firewall Off Power is not sup
295. ield to the right of the radio button Enable NetBIOS Select this check box to allow NetBIOS broadcasts to travel over the VPN tunnel For more information about NetBIOS see Configure NetBIOS Bridging with IPSec VPN on page 194 This feature is disabled by default Enable RollOver If you have configured the VPN firewall to function in WAN auto rollover mode see Configure the Auto Rollover Mode and Failure Detection Method on page 34 select the Enable RollOver check box Then from the corresponding drop down list select the backup WAN interface After an auto rollover has occurred the VPN tunnel will be reestablished using the backup WAN interface This feature is disabled by default Enable Keepalive Note See also Configure Keep alives and Dead Peer Detection on page 191 Select a radio button to specify if keep alive is enabled e Yes This feature is enabled Periodically the VPN firewall sends keep alive requests ping packets to the remote endpoint to keep the tunnel alive You need to specify the ping IP address in the Ping IP Address field detection period in the Detection Period field and the maximum number of keep alive requests that the VPN firewall sends in the Reconnect after failure count field e No This feature is disabled This is the default setting Ping IP Address The IP address that the VPN firewall pings The address needs to be of a host that can respond to ICMP ping requests
296. ify whether or not the VPN firewall should be protected against common attacks in the DMZ LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined in the following table gt To enable the appropriate attack checks for your network environment 1 Select Security gt Firewall gt Attack Checks The Attack Checks screen displays Firewall Protection 106 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering LAN WAN Rules LAN DMZ Rules KUCATI ce Session Limit Advanced WAN Security Checks PN Pass through oO Respond to Ping on Internet Ports IPsec Enable Stealth Mode PPTP C Block TCP flood L2TP LAN Security Checks Multicast Pass through C Block UDP flood Enable IGMP Pass through C Disable Ping Reply on LAN Ports Figure 56 Enter the settings as explained in the following table Table 20 Attack Checks screen settings Setting Description WAN Security Checks Respond to Ping on Select the Respond to Ping on Internet Ports check box to enable the VPN Internet Ports firewall to respond to a ping from the Internet A ping can be used as a diagnostic tool Keep this check box cleared unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet Enable Stealth Mode Select the Enable Stealth Mode check box which is the default setti
297. in see Configure VPN Authentication Domains Groups and Users on page 219 4 Click Login The default User Portal screen displays NETGEAR A ETA OSAFE Logout Click the VPN Tunnel client icon to connect to the remote network Keep your browser open to maintain the connection Connect using PN Tunnel Note If you reload your browser VPN Tunnel client will disconnect and then reconnect to the remote network 2009 Copyright NETGEAR Figure 133 The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections VPN Tunnel Provides full network connectivity Port Forwarding Provides access to the network services that you defined in Configure Applications for Port Forwarding on page 202 Virtual Private Networking Using SSL Connections 217 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Change Password Allows the user to change their password Support Provides access to the NETGEAR website View the SSL VPN Connection Status and SSL VPN Logs gt To review the status of current SSL VPN tunnels Select VPN gt Connection Status gt SSL VPN Connection Status The SSL VPN Connection Status screen displays IPSec VPN SSLVYPN Certificates IPSec PN Connection Status By iM eae cr Help Group IP Address Login Time Action geardomain 192 168 180 99 Wed Feb 24 17 32 56 2010 od Disconnect Figure 134 The active user s user
298. in interface Figure 87 5 This screen is a summary screen of the new VPN configuration Click Finish 6 Specify the local and remote IDs a In the tree list pane of the Configuration Panel screen click Gateway the default name given to the authentication phase The Authentication pane displays in the Configuration Panel screen with the Authentication tab selected by default b Click the Advanced tab in the Authentication pane The Advanced pane displays Netgear ProSafe VPN Client Professional E i R NETGEAR PROSAFE Built for Business Cee JC E YPN Configuration Authentication Advanced Certificate E Goba Parameters Gateway Advanced features Tunnel Mode Config F Aggressive Mode X Auth x Auth Popup C Hybrid Mode Local and Remote ID Type of I0 Value for the ID Local ID DNS stx_remote com Remote ID DNS w stx_bcal com Figure 88 Virtual Private Networking Using IPSec Connections 146 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c Specify the settings that are explained in the following table Table 32 VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall NAT T Select Automatic from the drop down list to enable the VPN client and VPN firewall to negotiate NAT T Local an
299. ing Process 0 0000s cece cence 310 Mbona WaMmte lt cccsines sented de ecehbar Hosa SY eens heeaeeeead 311 Inbound Traffic to a Single WAN Port System 312 Inbound Traffic to a Dual WAN Port System 312 Virt al Private Networks ct dex doch ees Ode uc wid eee ax 313 VPN Road Warrior Client to Gateway 20000 eee 314 VPN Gateway to Gateway a s 0000 cece eee 316 VPN Telecommuter Client to Gateway through a NAT Router 319 Appendix C System Logs and Error Messages System Log MessageS ccc eee eee ee teen eee 323 eee eee ee ee E ne Waren a ee TEE ee an ere cree eee 323 LOG LOGON 566s 2eetranenideecrdercyagnuie rand aedioess 324 ASEM ass ve sierseees Geka ieee de cha g Ces ey eRe oe ERE YS 324 POODI anenecieadeenweasiae hee eaesieensae Ke secduaeneenes 324 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Pie vtell REG c ooo eka yak oe PRR RRO soe RENEE EAH RRG AN 325 IPSRC Resia occ cb dane nad Bipaeese hee deeeena kad dneee neces 325 Unicast Multicast and Broadcast Logs 200 e0ee 325 VEAN aaa pues BG ae ee a ee een a Gecre Ss 326 Resolved DNS Names 22 00 ne2e cesedeeew stereo smenereuees 330 VPN LOg MESS Ae is ce Old tee Res A ee weed 330 Traio Meter LOGS 2 ss 06 20 dee kee Re eae ERS RR eg 336 POU EOS sca eS hh i fh a Dac a hs AO cl wa a 336 LAN to WAN LOGS 22252 ccs 0ctbesanes Saadbu deeded deen eeeas 336 LAN TO DNZ LO cae
300. ings to allow up to 16 VLANs to each be assigned a unique MAC address You can also enable or disable the broadcast of Address Resolution Protocol ARP packets for the default VLAN If the broadcast of ARP packets is enabled IP addresses can be mapped to physical addresses that is MAC addresses For information about the LAN traffic meter see Enable the LAN Traffic Meter on page 266 LAN Configuration 64 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To configure a VLAN to have a unique MAC address 1 Select Network Configuration gt LAN Settings The LAN submenu tabs display with the LAN Setup screen in view see Figure 30 on page 59 2 Select the Advanced option arrow in the upper right of the LAN Setup screen The LAN Advanced screen displays Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS POECIE LAN Traffic Meter uelp MAC Address for VLANs Note If the number of VLANs that require a unique MAC address exceeds this device s limits the MAC addresses assigned to each VLAN may no longer be distinct Please refer to the help text for the supported number of MAC addresses available for VLANs Help Enable ARP Broadcast Set Refresh Rate C Seconds Note This setting will applicable only for default VLAN Figure 32 3 From the MAC Address for VLANs drop down list select Unique The default is Same 4 As an option you can disable the bro
301. ings work well for a Mode Config configuration PFS Key Group Select this check box to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the drop down list The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the drop down list select one of the following three strengths e Group 1 768 bit e Group 2 1024 bit This is the default setting e Group 5 1536 bit SA Lifetime The lifetime of the security association SA is the period or the amount of transmitted data after which the SA becomes invalid and needs to be renegotiated From the drop down list select how the SA lifetime is specified e Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the drop down list select one of the following five algorithms to negotiate the security association SA e DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Integrity Algorithm From the drop down list select one of the following two algorithms to be used in the VPN header for the authent
302. ion IKE 26800 900 86400 Encryption IPSec 3600 600 86400 M Dead Peer Detection DPD Checkinterval 30 sec Max number of retries 5 Delay between retries 15 sec Miscellaneous Retransmissions 5 IKE Port X Auth timeout 20 NAT Port Block non ciph ered connection VPN Client ready Figure 89 b Specify the default lifetimes in seconds e Authentication IKE Default The default lifetime value is 3600 seconds Change this setting to 28800 seconds to match the configuration of the VPN firewall Encryption IPSec Default The default lifetime value is 1200 seconds Change this setting to 3600 seconds to match the configuration of the VPN firewall 8 Click Apply to use the new settings immediately and click Save to keep the settings for future use The VPN client configuration is now complete Instead of using the wizard on the VPN client you can also manually configure the VPN client which is explained in the following section Manually Create a Secure Connection Using the NETGEAR VPN Client Note Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed To manually configure a VPN connection between the VPN client and the VPN firewall create authentication settings phase 1 settings create an associated IPSec configuration phase 2 settings and then specify the global parameters Virtual Private Networking Using IPSec Connections 148 ProSafe Gig
303. ion goes far beyond NAT 81 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Administrator Tips Consider the following operational items 1 As an option you can enable remote management if you have to manage distant sites from a central location see Configure VPN Authentication Domains Groups and Users on page 219 and Configure Remote Management Access on page 250 2 Although using rules see Use Rules to Block or Allow Specific Kinds of Traffic on page 82 is the basic way of managing the traffic through your system you can further refine your control using the following features and capabilities of the VPN firewall Groups and hosts see Manage Groups and Hosts LAN Groups on page 67 Services see Services Based Rules on page 83 Schedules see Set a Schedule to Block or Allow Specific Traffic on page 121 Source MAC filtering see Enable Source MAC Filtering on page 126 Port triggering see Configure Port Triggering on page 130 3 Some firewall settings might affect the performance of the VPN firewall For more information see Performance Management on page 242 4 The firewall logs can be configured to log and then email dropped packet information and other information to a specified email address For information about how to configure logging and notifications see Activate Notification of Events Alerts and Syslogs on page 269 Use Rules to Block or Allow Specific Kinds of Traffic Firewall rules
304. irewall s remote login URL is https lt IP_address gt or https lt FullyQualifiedDomainName gt Network and System Management 252 Note Note Note Note ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For enhanced security and if practical restrict remote management access to a single IP address or a small range of IP addresses To maintain security the VPN firewall rejects a login that uses http address rather than the SSL https address The first time that you remotely connect to the VPN firewall with a browser via an SSL connection you might get a warning message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or later simply click Yes to accept the certificate If you are unable to remotely connect to the VPN firewall after enabling HTTPS remote management check if other user policies such as the default user policy are preventing access For access to the VPN firewall s web management interface check if administrative access through a WAN interface is granted see Configure Login Policies on page 229 Note If you disable HTTPS remote management all SSL VPN user Tip connections are also disabled If you are using a dynamic DNS service such as TZO you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option Trace the route to your registered FQDN For example enter tracert VPN fire
305. irewall IPSec VPN Connection Status To review the status of current IPSec VPN tunnels Select VPN gt Connection Status The VPN Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view The following figure shows an IPSec SA as an example IPSec VPN SSLYPN Meee T CURICE SSL YPN Connection Status Operation succeeded Policy Name Endpoint Tx KB Tx Packets State Action GWi to GW2 10 144 28 226 0 00 0 IPsec SA Not Established F Connect Client Policy Poll Interval _ Seconds Set interval Stop Figure 102 The Active IPSec SAs table lists each active connection with the information that is described in the following table The default poll interval is 5 seconds To change the poll interval period enter a new value in the Poll Interval field and then click Set Interval To stop polling click Stop Virtual Private Networking Using IPSec Connections 157 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 36 IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB The amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is key exchange
306. irewall is on a local LAN with IP address is 192 168 1 100 e The VPN firewall connects to a remote network where you need to access a device e The LAN IP address of the remote network is 134 177 0 0 When you first configured the VPN firewall two implicit static routes were created e A default static route was created with your ISP as the gateway e A second static route was created to the local LAN for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 remote network the VPN firewall forwards your request to the ISP In turn the ISP forwards your request to the remote network where the request is likely to be denied by the remote network s firewall In this case you need to define a static route informing the VPN firewall that the 134 177 0 0 IP address should be accessed through the local LAN IP address 192 168 1 100 The static route on the VPN firewall needs to be defined as follows e The destination IP address and IP subnet mask need to specify that the static route applies to all 134 177 x x IP addresses e The gateway IP address needs to specify that all traffic for the 134 177 x x IP addresses should be forwarded to the local LAN IP address 192 168 1 100 Ametric value of 1 should work since the VPN firewall is on the local LAN e The static route can be made private only as a precautionary security measure in case RIP is activated LAN Configuration 80
307. is 0 zero DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the VPN firewall to provide a LAN IP address for DNS address name resolution This setting is enabled by default 3 Click Apply to save your settings Note The DMZ LED next to LAN port 4 see Front Panel on page 14 lights green to indicate that the DMZ port is enabled For information about how to define the DMZ WAN rules and LAN DMZ rules see Set DMZ WAN Rules on page 95 and Set LAN DMZ Rules on page 98 respectively Manage Routi ng Static routes provide additional routing information to your VPN firewall Under normal circumstances the VPN firewall has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network LAN Configuration 75 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note The VPN firewall automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi homing screen see Configure Multi Home LAN IP Addresses on the Default VLAN on page 65 Therefore you do not need to manually add a static route between a VLAN and a secondary IP address Configure Static Routes gt To add a static route to the Static Routes table 1 Selec
308. is Ged d ai aula bi aa haad a aaa 0 42 Configure WAN QoS Profiles anana aaau 46 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Advanced WAN Options 20000 0c cece eee 51 Additional WAN Related Configuration Tasks 54 Anat DO NENG 4 cxgeau eo Odsiw oye ead ae ge wR dwg Hash wad dw gs 54 Chapter 3 LAN Configuration Manage Virtual LANs and DHCP Options 00 05 55 POE asec VLAN cams ied reaa Er A 56 Assign and Manage VLAN Profiles 0 000 ee eee eee by VLAN DHCP aM rete ne a ac hm karmaa he de Heaney aa ke 58 Configure a VLAN Profile cic cccccceevocrdecwneresrereenaneeas 59 Configure VLAN MAC Addresses and LAN Advanced Settings 64 Configure Multi Home LAN IP Addresses on the Default VLAN 65 Manage Groups and Hosts LAN Groups 0000 eee eae 67 Manage the Network Database 200000 cece eeeee 68 Change Group Names in the Network Database 71 Set Up Address Reservation annaa aaa aaae 72 Configure and Enable the DMZ Port 00 000 cece ene 72 Manage POU sicsserrssrsiraket ka EK FANkE SISET A EREE fo Configure Static AGuies c 00ceav geen sade een en ead oe Oe aS 76 Configure Routing Information Protocol 0000 eae 78 Static Route Example icere rioris eek ed eee idara dee ee Chee Re 80 Chapter 4 Firewall Protection About Firewall Protecton cc6 lt 2 iden dees rren
309. is not matched against the inbound rules on the DMZ WAN Rules screen gt Tocreate a new inbound DMZ WAN service rule 1 In the DMZ WAN Rules screen click the Add table button under the Inbound Services table The Add DMZ WAN Inbound Service screen displays The following figure shows an example Add DMZ WAN Inbound Service Operation succeeded Service BOOTP_SERVER Action ALLOW always v Select Schedule Scheduled Send to DMZ Server 292 268 212 31 Translate to Port Number i WAN Destination IP Address WAND DMZ Users Any Start End ia WAN Users Start End QoS Profile Log Figure 47 2 Enter the settings as explained in Table 19 on page 88 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Firewall Protection 97 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network You can then apply firewall rules to block specific types of traffic from either going out from the LAN to the DMZ outbound or coming in from the DMZ to the LAN inbound There is no drop down list that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound
310. ite When a security alert is generated the user can decide whether or not to trust the host information you exchange with this site cannot be viewed or changed by others However there is a problem with the ste s secumty certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority iv The secunty certificate date is valid A The name on the secunty certificate is invalid or does not match the name of the ste Do you want to proceed va E en cotcae Figure 147 Generate a CSR and Obtaining a Self Signed Certificate from a CA To use a self signed certificate you first need to request the digital certificate from a CA and then download and activate the digital certificate on the VPN firewall To request a self signed certificate from a CA you need to generate a certificate signing request CSR for and on the VPN firewall The CSR is a file that contains information about your company and about the device that holds the certificate Refer to the CA for guidelines about the information that you need to include in your CSR To generate a new CSR file obtain a digital certificate from a CA and upload it to the VPN firewall 1 Select VPN gt Certificates The Certificates screen displays The following figure shows the middle section of the screen with the Active Self Certificates section Generate Sel
311. itioned to idle mode This event occurs if there is no traffic from the LAN network Message 9 The time in minutes for which the link has been up Message 10 Data sent and received at the LAN side while the link was up Message 11 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side PPTP Idle Timeout Logs Table 94 System logs WAN status PPTP idle time out Message Nov 29 11 19 02 SRX5308 pppd Starting connection Nov 29 11 19 05 SRX5308 pppd CHAP authentication succeeded Nov 29 11 19 05 SRX5308 pppd local IP address 192 168 200 214 Nov 29 11 19 05 SRX5308 pppd remote IP address 192 168 200 1 Nov 29 11 19 05 SRX5308 pppd primary DNS address 202 153 32 2 Nov 29 11 19 05 SRX5308 pppd secondary DNS address 202 153 32 2 Nov 29 11 20 45 SRX5308 pppd No response to 10 echo requests Nov 29 11 20 45 SRX5308 pppd Serial link appears to be disconnected Nov 29 11 20 45 SRX5308 pppd Connect time 1 7 minutes Nov 29 11 20 45 SRX5308 pppd Sent 520 bytes received 80 bytes Nov 29 11 20 51 SRX5308 pppd Connection terminated Explanation Message 1 Starting PPP connection process Message 2 Message from the server for authentication success Message 3 Local IP address assigned by the server Message 4 Server side IP address Message 6 The primary DNS server that is configured on the WAN ISP S
312. ity Algorithm SHA Key In T Key In Key Out Sea Key Out DES 8 Char amp 3DES 24 Char MDS 16 Char amp SHA 1 20 Char Auto Policy Parameters SA Lifetime Encryption Algorithm Integrity Algorithm Mrs key Group Select IKE Policy GWi to Gw2 view Selected Figure 107 Virtual Private Networking Using IPSec Connections 168 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Complete the settings as explained the following table Table 40 Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Policy Type From the drop down list select one of the following policy types e Auto Policy Some settings the ones in the Manual Policy Parameters section of the screen for the VPN tunnel are generated automatically Manual Policy All settings need to be specified including the ones in the Manual Policy Parameters section of the screen Select Local Gateway From the drop down list select one of the four WAN interfaces to function as the local gateway Remote Endpoint Select a radio button to specify how the remote endpoint is defined IP Address Enter the IP address of the remote endpoint in the fields to the right of the radio button FQDN Enter the FQDN of the remote endpoint in the f
313. k devices can be configured not to respond to a ping To send a ping request 1 Inthe Ping or Trace and IP Address section on the Diagnostics screen make one of the following selections to specify how the destination should be reached e If the specified address is reached through a VPN tunnel a Select the Ping through VPN tunnel check box b Select either Auto or a specific VPN tunnel from the Select VPN Tunnel drop down list e Ifthe specified address is not reached through a VPN tunnel select a WAN interface from the Select Local Gateway drop down list 2 Inthe IP Address field enter the IP address that you want to ping 3 Make one of the following selections e Click the Ping button The results are displayed on the Ping screen To return to the Diagnostics screen click Back on the browser menu bar e Click the Trace Route button The results are displayed on the Trace Route screen Select Monitoring gt Diagnostics to return to the Diagnostics screen Look Up a DNS Address A DNS Domain Name Server converts the Internet name for example www netgear com to an IP address If you need the IP address of a web FTP mail or other server on the Internet request a DNS lookup to find the IP address To look up a DNS address 1 In the Perform a DNS Lookup section on the Diagnostics screen enter a domain name in the Internet Name field 2 Click the Lookup button The results of the lookup action are displayed in the
314. king ActiveX controls 123 all browsing access 124 cookies 123 domains 123 126 floods TCP and UDP 107 108 instant messaging applications 105 Internet sites and Java applets 123 keywords 126 newsgroups 124 ping replies on Internet port 107 347 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on LAN port 108 proxy server 123 sessions 110 sites to reduce traffic 244 traffic scheduling of 121 when reaching LAN limit 268 when reaching WAN limit 265 web components 123 126 browsers user login policies 232 web management interface 20 browsing access blocking 124 button reset 16 buttons web management interface 23 C CA certification authority 166 235 cache control and cleaner 201 capturing packets diagnostics 291 category 5 cable 307 Certificate Revocation List CRL 235 241 certificate signing request CSR 237 certificates managing 234 241 certification authority CA 166 235 CHAP Challenge Handshake Authentication Protocol See also RADIUS CHAP MIAS CHAP or WiKID CHAP 220 classical routing mode configuring 33 cleaning cache 201 CLI command line interface 16 253 client identifier 31 clients SSL VPN 205 command line interface CLI 16 253 community string SNMP 255 compatibility protocols and standards 303 compliance notification of 345 regulatory 304 configuration file managing 256 260 configuration menu web management interface 23 configuration default settin
315. l certificates Each CA issues its own CA identity digital certificate to validate communication with the CA and to verify the validity of digital certificates that are signed by the CA e Self signed certificates The digital certificates that are issued to you by a CA to identify your device The Certificates screen contains four tables that are explained in detail in the following sections e Trusted Certificates CA Certificate table Contains the trusted digital certificates that were issued by CAs and that you uploaded see Manage Self Signed Certificates on page 237 e Active Self Certificates table Contains the self signed certificates that were issued by CAs and that you uploaded see Manage Self Signed Certificates on page 237 e Self Certificate Requests table Contains the self signed certificate requests that you generated These requests might or might not have been submitted to CAs and CAs might or might not have issued digital certificates for these requests Only the self signed certificates in the Active Self Certificates table are active on the VPN firewall see Manage Self Signed Certificates on page 237 Certificate Revocation Lists CRL table Contains the lists with digital certificates that have been revoked and are no longer valid that were issued by CAs and that you uploaded Note however that the table displays only the active CAs and their critical release date see Manage the Certificate Revocation List
316. l to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name This is optional Enter the domain name of the VPN firewall Start IP Enter the starting IP address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the ending IP address The IP address 192 168 1 2 is the default start address End IP Enter the ending IP address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the IP address of the DMZ port that is the IP address in the DMZ Port Setup section of the screen Primary DNS This is optional If an IP address is specified the VPN firewall Server provides this address as the primary DNS server IP address If no address is specified the VPN firewall provides its own LAN IP address as the primary DNS server IP address Secondary DNS _ This is optional If an IP address is specified the VPN firewall Server provides this address as the secondary DNS server IP address WINS Server This i
317. l to view all global policies e Click Group to view group policies and choose the relevant group s name from the drop down list e Click User to view user policies and choose the relevant user s name from the drop down list 3 Click the Display action button The List of SSL VPN Policies table displays the list for your selected Query option Add a Policy gt To add an SSL VPN policy 1 Select VPN gt SSL VPN The SSL VPN submenu tabs display with the Policies screen in view see the previous figure which shows some examples 2 Under the List of SSL VPN Policies table click the Add table button The Add Policy screen displays Virtual Private Networking Using SSL Connections 212 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add SSL YPN Policy Operation succeeded E Policy For Group User a i Add SSL VPN Policies Apply Policy to Policy Name Network Resource IP Address 4 s 1 IP Address Subnet Mask BREH IP Network Begin End All Addresses Port Bange Cork 3 f1 65535 Service VPN Tunne Defined Resources Permission PERMIT Figure 131 3 Complete the settings as explained the following table Table 54 Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy e Global The new policy is global and excludes all groups and users e Group The n
318. lds as the Add LAN Traffic Meter Account screen see Figure 162 on page 267 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To delete a LAN traffic meter account 1 Select the check box to the left of the account that you want to delete or click the Select All table button to select all accounts 2 Click the Delete table button Activate Notification of Events Alerts and Syslogs You can configure the VPN firewall to log and then email denial of access general attacks and other information to a specified email address For example the VPN firewall can log security related events such as accepted and dropped packets on different segments of your LAN denied incoming and outgoing service requests hacker probes and login attempts and other general information based on the settings that you specify on the Firewall Logs amp E mail screen Selecting all events will increase the size of the log so it is good practice to select only those events that are required For you to receive the logs in an email message the VPN firewall s email notification server needs to be configured and email notification needs to be enabled You need to configure the necessary information for sending email such as the administrator s email address the email server user name and password You can also view the logs on the View Log screen or send them to a syslog server gt To configure an
319. le 16 RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop down list select the direction in which the VPN firewall sends and receives RIP packets e None The VPN firewall neither advertises its route table nor does it accept any RIP packets from other routers This effectively disables RIP e In Only The VPN firewall accepts RIP information from other routers but does not advertises its routing table e Out Only The VPN firewall advertises its routing table but does not accept RIP information from other routers Both The VPN firewall advertises its routing table and also processes RIP information received from other routers RIP Version From the RIP Version drop down list select the version e Disabled The RIP version is disabled This is the default setting e RIP 1 Classful routing that does not include subnet information This is the most commonly supported version RIP 2B Routing that sends the routing data in RIP 2 format and uses subnet broadcasting e RIP 2M Routing that sends the routing data in RIP 2 format and uses multicasting Authentication for RIP 2B 2M Authentication for RIP 2B 2M required Authentication for RP 2B or RIP 2M is disabled by default that is the No radio button is selected To enable authentication for RP 2B or RIP 2M select the Yes radio button and enter the settings for the following fields First Key Param
320. le 7 Add Protocol Binding screen settings Setting Description Service From the drop down list select a service or application to be covered by this rule If the service or application does not appear in the list you need to define it using the Services screen see Services Based Rules on page 83 Local Gateway From the drop down list select one of the WAN interfaces Source Network The source network settings determine which computers on your network are affected by this rule Select one of the following options from the drop down list Any All devices on your LAN Single address In the Start IP field enter the IP address to which the rule is applied Address Range In the Start IP field and End IP field enter the IP addresses for the range to which the rule is applied Group If this option is selected the rule is applied to the selected group The group can be a LAN group or an IP LAN group Note For information about LAN group see Manage Groups and Hosts LAN Groups on page 67 For information about IP groups see Create IP Groups on page 114 Connecting the VPN Firewall to the Internet 39 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7 Add Protocol Binding screen settings continued Setting Description Destination The destination network settings determine which Internet locations based on their IP Network address are covered
321. les NAT filtering for PPTP tunnels e L2TP Disables NAT filtering for L2TP tunnels By default all three check boxes are selected Multicast Pass through Enable IGMP Pass through IP multicast pass through allows multicast packets that originate in the WAN subnet such as packets from a media streaming or gaming application to be forwarded to the LAN subnet Internet Group Management Protocol IGMP is used to support multicast between IP hosts and their adjacent neighbors Select the Enable IGMP Pass through check box to enable IP multicast pass through By default IP multicast pass through is enabled Click Apply to save your settings Firewall Protection 108 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Session Limits The session limits feature allows you to specify the total number of sessions that are allowed per user over an IP connection across the VPN firewall The session limits feature is disabled by default gt To enable and configure session limits 1 Select Security gt Firewall gt Session Limit The Session Limit screen displays Security LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Attack Checks EPATITE Advanced Session Limit You want to enable Session Limit Session Limit Control Yes User Limit Parameter O No User limt Bi Block IP to add new session for Time 0 J seconas O Block IP s all connections for Time 0 Seconds Number of Pa
322. lgorithm MDS Signature Algorithm RSA Key Length 512 BEGIN CERTIFICATE REQUEST MEHBLMH oC AQAWEJE QMAFGALUEAxXMHTmV0Z2VhcjBcMANDGCSqGSIb3DQEBAQUAANSA ME gCQQOC Wiwg4Qk25 3BuKRxXY2plLiHAdkAZzfq22Nytf9sIDusUty cOUUGhrakH wDwSmNSZ5363b0 2M94u2i Uy vvHAQMBAAGQADANBgkqhkiG9wOBAQQFAANBAE77 r6SqTiIh3Sm behkunSk13U36YAZMUIGXTIg8 1 6hhLoBOtgvvspbLSEvtyIXRZ5 SIg8tPvCYvkbIYZ3bRY END CERTIFICATE REQUEST Figure 149 5 Copy the contents of the Data to supply to CA text box into a text file including all of the data contained from BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST 6 Submit your SCR to a CA a Connect to the website of the CA b Start the SCR procedure Managing Users Authentication and Certificates 239 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c When prompted for the requested data copy the data from your saved text file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST d Submit the CA form If no problems ensue the digital certificate is issued by the CA 7 Download the digital certificate file from the CA and store it on your computer 8 Return to the Certificates screen see Figure 148 on page 238 and locate the Self Certificate Requests section 9 Select the check box next to the self signed certificate request 10 Click Browse and navigate to the digital certificate file from the CA that
323. licy 4 Click Apply to save your settings The VPN policy is added to the List of VPN Policies table gt To edit a VPN policy 1 Select VPN gt IPSec VPN gt VPN Policies The VPN Policies screen displays see Figure 106 on page 166 2 Inthe List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays This screen shows the same fields as the Add New VPN Policy screen see Figure 107 on page 168 Modify the settings that you wish to change see the previous table Click Apply to save your changes The modified VPN policy is displayed in the List of VPN Policies table Configure Extended Authentication KAUTH 2 When many VPN clients connect to a VPN firewall you might want to use a unique user authentication method beyond relying on a single common pre shared key for all clients Although you could configure a unique VPN policy for each user it is more efficient to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local user database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network You can enable XAUTH when you manually add or edit an IKE policy Two types of XAUTH are available e Edge Device The VPN firewall is
324. line Support 300 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Time is off by 1 hour Cause The VPN firewall does not automatically sense daylight savings time Go to the Time Zone screen and select or clear the Automatically Adjust for Daylight Savings Time check box Access the Knowledge Base and Documentation To access NETGEAR s knowledge base for the VPN firewall select Web Support gt Knowledgebase To access NETGEAR s documentation library for the VPN firewall select Web Support gt Documentation Troubleshooting and Using Online Support 301 Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults This is called a hard reset for more information see Revert to Factory Default Settings on page 258 e To perform a hard reset press and hold the reset button for approximately 8 seconds until the Test LED blinks rapidly The VPN firewall returns to the factory configuration settings that are shown in the following table e Pressing the reset button for a shorter period of time simply causes the VPN firewall to reboot The following table shows the default configuration settings for the VPN firewall Table 75 VPN firewall default configuration settings Feature Default behavior Router login User login URL httos 192 168 1 1 Administrator user name case sensitive admin Administ
325. list Note On the VPN firewall this key group is referred to as Diffie Hellman Group 2 1024 bit 4 Click Apply to use the new settings immediately and click Save to keep the settings for future use Configure the Mode Config Global Parameters gt To specify the global parameters 1 Click Global Parameters in the left column of the Configuration Panel screen The Global Parameters pane displays in the Configuration Panel screen R Netgear ProSafe VPN Client Professional DER NETGEAR PROSAFE E VPN Configuration Global Parameters Bi Global Parameters I GW_ModeConfig Lifetime sec Tunnel_ModeConfig Built for Business Defauk Minimal Authentication IKE 3600 Encryption IPSec 3600 V Dead Peer Detection DPD Checkinterval 30 sec Max number of retries 3 Delay between retries 15 sec Miscellaneous Retransmissions S IKE Port X Auth timeout 20 NAT Port oO Block non ciphered connection j Figure 117 Virtual Private Networking Using IPSec Connections 189 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Specify the following default lifetimes in seconds to match the configuration on the VPN firewall Authentication IKE Default Enter 3600 seconds Encryption IPSec Default Enter 3600 seconds 3 Select the Dead Peer Detection DPD check box and configure the following DPD settings to match the configuration on the VPN firewall e Ch
326. ll connect to the following peers Gateway YPN Client ii Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key YO 28qbrot746 _ DO Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 Enable Rollover V i End Point Information What is the Remote WAN s IP Address or Internet Name 10 144 28 226 What is the Local WAN s IP Address or Internet Name 10 34 116 22 What is the remote LAN IP Address i92 a72 1_ o_ What is the remote LAN Subnet Mask fess 2ss zss o_ Figure 77 To view the wizard default settings click the VPN Wizard Default Values option arrow in the upper right of the screen A popup window appears see Figure 78 on page 138 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up Virtual Private Networking Using IPSec Connections 137 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Wizard default values Default values of IKE Policy Exchange Mode ID Type Local WAN ID Remote WAN ID Encryption Algorithm Authentication Algorithm Authentication Method Key Group Life Time Default values for VPN Policy Encryption Algorithm Authentication Algorithm Life Time PFS Key Group NETBIOS Aggressive FQON srx_local com srx_remote com 3DES SHA 1 Pre shared key DH Gr
327. lowing figure The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the VPN firewall and that have been automatically detected by the VPN firewall Active A Yes or No indicates if the UPnP device port that established a connection is currently active Protocol Indicates the network protocol such as HTTP or FTP that is used by the device to connect to the VPN firewall Int Port Indicates if any internal ports are opened by the UPnP device Ext Port Indicates if any external ports are opened by the UPnP device IP Address Lists the IP address of the UPnP device accessing the VPN firewall Firewall Protection 132 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Services Schedule Firewall Address Filter Port Triggering Bandwidth Profile Content Filtering Yes O No Advertisement Time To Live Hops Do you want to enable UPnP Advertisement Period Minutes Int Port Refresh Figure 73 2 To enable the UPnP feature select the Yes radio button The feature is disabled by default To disable the feature select No 3 Configure the following fields Advertisement Period Enter the period in minutes that specifies how often the VPN firewall should broadcast its UPnP information to all devices within its range The default setting is 40 minutes Advertisement Time to Live Enter a number that spe
328. lp screen To open the help screen click the Help icon 2 Configure the Internet Connections To set up your VPN firewall for secure Internet connections you configure WAN ports 1 through 4 The web management interface offers two connection configuration options e Automatic detection and configuration of the network connection e Manual configuration of the network connection Each option is detailed in a section that follows Connecting the VPN Firewall to the Internet 24 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Automatically Detecting and Connecting gt To automatically configure the WAN ports for connection to the Internet 1 Select Network Configuration gt WAN Settings The WAN screen displays Network Configuration Protocol Binding Dynamic DNS LAN Settings DMZ Setup Routing QoS LEDE WAN Mode Help WAN IP Failure Detection Method Action 10 34 116 22 DNS Lookup WAN DNS Servers Edit E stus 0 0 0 0 ONS Lookup WAN DNS Servers Edit E Status 0 0 0 0 DNS Lookup WAN DNS Servers Edit E Status DNS Lookup WAN DNS Servers edr BH status Figure 10 The WAN Settings table displays the following fields WAN The WAN interface WAN1 WAN2 WAN3 and WAN4 Status The status of the WAN interface UP or DOWN WAN IP The IP address of the WAN interface Failure Detection Method The failure detection method that is active for the WAN interface The following methods can be displayed
329. management interface The default idle time out period is 10 minutes 3 Click the Add table button The new group is added to the List of Groups table gt To delete one or more groups 1 Inthe List of Groups table select the check box to the left of the group that you want to delete or click the Select All table button to select all groups You cannot delete a Managing Users Authentication and Certificates 225 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 default group you can only delete the domain with the identical name as the default group see Configure Domains on page 219 which causes the default group to be deleted 2 Click the Delete table button Note You can delete only groups that you created on the Groups screen Groups that were automatically created when you created a domain cannot be deleted on the Groups screen See the Important note at the beginning of this section Edit Groups gt To edit a VPN group 1 Select Users gt Groups The Groups screen displays see the previous screen 2 Inthe Action column of the List of Groups table click the Edit table button for the group that you want to edit The Edit Groups screen displays see the following figure With the exception of groups that are associated with domains that use the LDAP authentication method you can modify only the idle time out settings on the Edit Groups screen Group Name ProductMarketing Group s Auth
330. ming TYPE Protocol type 322 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 System Log Messages This section describes log messages that belong to one of the following categories e Logs generated by traffic that is meant for the VPN firewall e Logs generated by traffic that is routed or forwarded through the VPN firewall e Logs generated by system daemons the NTP daemon the WAN daemon and others daemons To select many of these logs see Activate Notification of Events Alerts and Syslogs on page 269 NTP This section describes log messages generated by the NTP daemon during synchronization with the NTP server Table 82 System logs NTP Message Nov 28 12 31 13 SRX5308 ntpdate Looking Up time f netgear com Nov 28 12 31 13 SRX5308 ntpdate Requesting time from time f netgear com Nov 28 12 31 14 SRX5308 ntpdate adjust time server 69 25 106 19 offset 0 140254 sec Nov 28 12 31 14 SRX5308 ntpdate Synchronized time with time f netgear com Nov 28 12 31 16 SRX5308 ntpdate Date and Time Before Synchronization Tue Nov 28 12 31 13 GMT 0530 2006 Nov 28 12 31 16 SRX5308 ntpdate Date and Time After Synchronization Tue Nov 28 12 31 16 GMT 0530 2006 Nov 28 12 31 16 SRX5308 ntpdate Next Synchronization after 2 Hours Explanation Message 1 DNS resolution for the NTP server time f netgear com Message 2 Request for NTP update from the time server Message 3 Adju
331. more information see Content Filtering on page 123 Network and System Management 244 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default this feature is disabled all traffic received from PCs with any MAC address is allowed See Enable Source MAC Filtering on page 126 for the procedure on how to use this feature Features That Increase Traffic The following features of the VPN firewall tend to increase the traffic load on the WAN side e LAN WAN inbound rules also referred to as port forwarding e DMZ WAN inbound rules also referred to as port forwarding e Port triggering e Enabling the DMZ port e Configuring exposed hosts e Configuring VPN tunnels LAN WAN Inbound Rules and DMZ WAN Inbound Rules Port Forwarding The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for inbound traffic from WAN to LAN and from WAN to the DMZ If you have not defined any rules only the default rule is listed The default rule blocks all access from outside except responses to requests from the LAN side Any inbound rule that you create allows additional incoming traffic and therefore increases the traffic load on the WAN side WARNING This feature is for advanced a
332. n gt Settings Backup and Firmware Upgrade Administration Remote Management SNMP Settings Backup and Firmware Upgrade Help Save a copy of current settings a Back Up Restore saved settings from file Restore Revert to factory default settings Default Locate and select the upgrade file from your hard disk Figure 157 Back Up Settings The backup feature saves all VPN firewall settings to a file These settings include the IP addresses subnet masks gateway addresses and so on Back up your VPN firewall settings periodically and store the backup file in a safe place Tip You can use a backup file to export all settings to another VPN firewall that has the same language and management software versions Remember to change the IP address of the second VPN firewall before deploying it to eliminate IP address conflicts on the network gt To back up settings 1 On the Settings Backup and Firmware Upgrade screen see the previous screen next to Save a copy of current settings click the Back Up button to save a copy of your current settings A warning appears and then a screen showing the file name of the backup file SRX5308 cfg 2 Select Save file and then click OK 3 Open the folder where you have saved the backup file and then verify that it has been saved successfully Note the following e If your browser is not configured to save downloaded files automatically locate the folder
333. n see View the WAN Port Connection Status on page 285 5 Repeat step 2 step 3 and step 4 for the other WAN interfaces that you want to configure If your WAN ISP configuration was successful you can skip ahead to Configure the WAN Mode on page 32 If one or both automatic WAN ISP configurations failed you can attempt a manual configuration as described in Manually Configure the Internet Connection on this page or see Troubleshoot the ISP Connection on page 296 Set the VPN Firewall s MAC Address Each computer or router on your network has a unique 48 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address The default is set to Use Default Address on the WAN Advanced Options screens If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you need to enter that address on the WAN Advanced Options screen for the corresponding WAN interface see Configure Advanced WAN Options on page 51 Manually Configure the Internet Connection Unless your ISP automatically assigns your configuration via DHCP you need to obtain configuration parameters from your ISP in order to manually establish an Internet connection The settings for various connection types are listed in the previous table gt To manually configure the WAN ISP settings 1 Select Network Configuration gt WAN Settings The WAN screen displays see Figure 10 on p
334. n Panel screen In the tree list pane of the Configuration Panel screen perform one of the following tasks Click the Tunnel IPSec configuration name and press Ctrl O Right click the Tunnel IPSec configuration name and select Open tunnel VPN Configuration E Global Parameters C Gateway o Open tunnel Ctri 0 Export Copy Ctrl C Rename F2 Delete Del Figure 96 Use the Connection Panel screen On the main menu of the Configuration Panel screen select Tools gt Connection Panel to open the Connection Panel screen Perform one of the following tasks Double click Gateway Tunnel Right click Gateway Tunnel and click Open tunnel Click Gateway Tunnel and press Ctrl O Virtual Private Networking Using IPSec Connections 155 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ann Gateway Tunnel Figure 97 e Use the system tray icon Right click the system tray icon and click Open tunnel Tunnel Open tunnel Tunnel Console Connection Panel Configuration Panel it S 3 40pm Figure 98 Whichever way you choose to open the tunnel when the tunnel opens successfully the Tunnel opened message displays above the system tray Tunnel Tunnel opened 22900000090 R o O S Wl 3 44pm Figure 99 Once launched the VPN client displays an icon in the system tray that indicates whether or not a tunnel is opened using a color code ka Z OAE 11 00 4m Green
335. n apply firewall rules to block specific types of traffic from either going out from the DMZ to the Internet outbound or coming in from the Internet to the DMZ inbound There is no drop down list that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound policy by blocking all outbound traffic and then enabling only specific services to pass through the VPN firewall You do so by adding outbound services rules see DMZ WAN Outbound Services Rules on page 96 gt To access the DMZ WAN Rules screen 1 Select Security gt Firewall gt DMZ WAN Rules The DMZ WAN Rules screen displays The following figure shows a rule in the Outbound Services table as an example LAN WAN Rules DACRE UTS LAN DMZ Rules Attack Checks Session Limit Advanced Operation succeeded Help DMZ WAN Users Users cu seemerupp Bleck by oo 2 else ANY ANY Maximize_Through Never up pown Medi Service Name Filter QoS Profile Log Action Select all Delete Enable Disable Add Help Service Name DMZ Server IP DMZ WAN Destinita Qos Address Users Users Profile SelectAll Delete Enable Disable Add Note Inbound rules configured in the LAN WAN Rules page will take precedence over the Inbound rules configured in the DMZ WAN Rules page As a result if an inbound packet matches an Inbound rule in the LAN WAN Rules page then it will not be matched a
336. n succeeded Policy Name Endpoint Tx KB Tx Packets State Action GWi to GW2 10 144 28 226 0 00 0 IPsec SA Not Established Client Policy Poll Interval B Seconds Set interval aa Figure 80 b Locate the policy in the table and click the Connect table button The IPSec VPN connection should become active Note When using FQDNs if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time Create a Client to Gateway VPN Tunnel Road Warrior Example Single WAN Port Client B Gateway A WAN IP FQDN r E i TORS VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 81 To configure a VPN client tunnel follow the steps in the following sections e Use the VPN Wizard Configure the Gateway for a Client Tunnel on page 141 e Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 143 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 148 Virtual Private Networking Using IPSec Connections 140 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the VPN Wizard Configure the Gateway for a Client Tunnel gt
337. n the WAN should be auto detected should be assigned the address of a WAN interface or should be assigned the address of a different interface The options are e Auto The source address of the outgoing packets is auto detected via the configured routing and load balancing rules WAN Interface Address All the outgoing packets on the WAN are assigned to the address of the specified WAN interface e Single Address All the outgoing packets on the WAN are assigned to the specified IP address for example a secondary WAN address that you have configured Note The NAT IP option is available only when the WAN mode is NAT The IP address specified should fall under the WAN subnet Inbound Rules Port Forwarding If you have enabled Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly access any of your local computers However by defining an inbound rule you can make a local server for example a web server or game server visible and available to the Internet The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This process is also known as port forwarding Whether or not DHCP is enabled how a PC accesses the server s LAN address impacts the inbound rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address might c
338. n the tree list pane This name needs to be a unique name The IPSec pane displays in the Configuration Panel screen with the IPSec tab selected by default Virtual Private Networking Using IPSec Connections 152 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 R Netgear ProSafe VPN Client Professional NETGEAR Built for Business E VPN Configuration IPSec Advanced Scripts E Goba Parameters vpn cient Addresses fem netosar platform VPN Client address Address type Subnet address Remote LAN address 192 168 Subnet mask Encryption Authentication Mode DH2 1024 Figure 94 Specify the settings that are explained in the following table Table 35 VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0 0 0 0 as the IP address or enter a virtual IP address that is used by the VPN client in the VPN firewall s LAN the computer for which the VPN client opened a tunnel appears in the LAN with this IP address Address Type Select Subnet address from the drop down list This selection defines which addresses the VPN client can communicate with after the VPN tunnel is established Remote LAN address Enter 192 168 1 0 as the remote IP address that is LAN network address of the gateway that opens the VPN tunnel Subnet Mask Enter 255 255 255 0 as the remote subnet mask of the gateway that opens the VPN tunnel
339. nagement purposes In this example we are using ModeConfigNA_ Sales Note The name is not supplied to the remote VPN endpoint Direction Type Responder is automatically selected when you select the Yes radio button in the Mode Config Record section of the screen This ensures that the VPN firewall responds to an IKE request from the remote endpoint but does not initiate one Exchange Mode Aggressive mode is automatically selected you select the Yes radio button in the Mode Config Record section of the screen Local Select Local Gateway From the drop down list select one of the four WAN interfaces to function as the local gateway Identifier Type From the drop down list select FQDN Note Mode Config requires that the VPN firewall that is the local end is defined by an FQDN Identifier Enter an FQDN for the VPN firewall In this example we are using router com Virtual Private Networking Using IPSec Connections 181 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44 Add IKE Policy screen settings for a Mode Config configuration continued Settings Description Remote Identifier Type From the drop down list select FQDN Note Mode Config requires that the remote end is defined by an FQDN Enter the FQDN for the remote end This needs to be an FQDN that is not used in any other IKE policy In this example we are using client com
340. nal units this information can be queried to provide specific group policies or bookmarks based on Active Directory attributes Note A Microsoft Active Directory database uses an LDAP organization schema LDAP A network validated domain based authentication method that functions with a Lightweight Directory Access Protocol LDAP authentication server LDAP is a standard for querying and updating a directory Because LDAP supports a multilevel hierarchy for example groups or organizational units this information can be queried to provide specific group policies or bookmarks based on LDAP attributes gt To create a domain 1 Select Users gt Domains The Domains screen displays The following figure shows the VPN firewall s default domain geardomain and as an example several other domains in the List of Domains table Managing Users Authentication and Certificates 220 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Domains Local Authentication 2 Do you want to disable Local Authentication Yes No List of Domains Domain Name Authentication Type Portal Layout Name geardomain local SSL VPN Customers local CustomerSupport o LDAP_Users Idap SSL VPN Default Domains Select All Delete Add Figure 136 The List of Domains table displays the domains with the following fields e Check box Allows you to select the domain in the t
341. nation e This packet unicast is sent to the device from the WAN network e For other settings see Table 81 on page 322 Recommended Action None System Logs and Error Messages 325 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ICMP Redirect Logs Table 89 System logs unicast redirect Message Feb 2007 22 14 36 07 SRX5308 kernel LOG_PACKET SRC 192 168 1 49 DST 192 168 1 124 PROTO ICMP TYPE 5 CODE 1 Explanation e This packet is an ICMP redirect message sent to the device by another device e For other settings see Table 81 on page 322 Recommended Action To enable these logs from the CLI command prompt of the VPN firewall enter this command monitor firewallLogs logger loggerConfig logIcmpRedirect 1 And to disable it enter monitor firewallLogs logger loggerConfig logIcmpRedirect 0 Multicast Broadcast Logs Table 90 System logs multicast broadcast Message Jan 1 07 24 13 SRX5308 kernel MCAST BCAST IN WAN OUT SELF SRC 192 168 1 73 DST 192 168 1 255 PROTO UDP SPT 138 DPT 138 Explanation e This multicast or broadcast packet is sent to the device from the WAN network e For other settings see Table 87 on page 322 Recommended Action None WAN Status This section describes the logs generated by the WAN component If there are several ISP links for Internet connectivity the VPN firewall can be configured either in auto rollover or load bala
342. ncing mode Load Balancing When the WAN mode is configured for load balancing all the WAN ports are active simultaneously and the traffic is balanced between them If one WAN link goes down all the traffic is diverted to the other WAN links that are active System Logs and Error Messages 326 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 This section describes the logs generated when the WAN mode is set to load balancing Table 91 System logs WAN status load balancing Message Dec 1 12 11 27 SRX5308 wand LBFO Restarting WAN1_ Dec 1 12 11 31 SRX5308 wand LBFO Restarting WAN2_ Dec 1 12 11 35 SRX5308 wand LBFO WAN1 UP WAN2 UP _ Dec 1 12 24 12 SRX5308 wand LBFO WAN1 UP WAN2 DOWN _ Dec 1 12 29 43 SRX5308 wand LBFO Restarting WAN2_ Dec 1 12 29 47 SRX5308 wand LBFO WAN1 UP WAN2 DOWN _ Explanation Message 1 and Message 2 indicate that both the WANs are restarted Message 3 This message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces Message 4 This message shows that one of the WAN links is down At this point all the traffic is directed through the WAN that is up Recommended Action None Auto Rollover When the WAN mode is configured for auto rollover the primary link is active and the secondary link acts only as a backup When the primary link goes down the secondary link becomes active only until the
343. nd Traffic e Virtual Private Networks What to Consider Before You Begin The VPN firewall is a powerful and versatile solution for your networking needs To make the configuration process easier and to understand all of the choices that are available to you consider the following before you begin 1 Plan your network a Determine whether you will use one or several WAN ports For one WAN port you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address b If you intend to use several WAN ports determine whether you will use them in auto rollover mode for increased system reliability or load balancing mode for maximum bandwidth efficiency See the topics in this appendix for more information Your decision has the following implications e Fully qualified domain name FQDN For auto rollover mode you will need an FQDN to implement features such as exposed hosts and virtual private networks For load balancing mode you might still need an FQDN either for convenience or to remotely access a dynamic WAN IP address e Protocol binding For auto rollover mode protocol binding does not apply For load balancing mode decide which protocols should be bound to a specific WAN port You can also add your own service protocols to the list 306 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Set up your accounts a b Obtain active Internet servic
344. ne of the following options e Percentage of Max Sessions A percentage of the total session connection capacity of the VPN firewall Number of Sessions An absolute number of maximum sessions User Limit Enter a number to indicate the user limit The default value is 3 If the User Limit Parameter is set to Percentage of Max Sessions the number specifies the maximum number of sessions that are allowed from a single source device as a percentage of the total session connection capacity of the VPN firewall The session limit is per device based If the User Limit Parameter is set to Number of Sessions the number specifies an absolute value Note Some protocols such as FTP and RSTP create two sessions per connection which should be considered when configuring a session limit Total Number of Packets Dropped due to Session Limit This is a nonconfigurable counter that displays the total number of dropped packets when the session limit is reached Session Timeout TCP Timeout UDP Timeout ICMP Timeout For each protocol specify a time out in seconds A session expires if no data for the session is received for the duration of the time out period The default time out periods are 1200 seconds for TCP sessions 180 seconds for UDP sessions and 8 seconds for ICMP sessions 4 Click Apply to save your settings Firewall Protection 110 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
345. necting the VPN Firewall to the Internet 50 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10 Add QoS screen settings for a priority profile continued Setting Description Priority From the drop down list select the priority queue that determines the allocation of bandwidth e Low All services that are assigned a low priority queue share 10 percent of interface bandwidth High All services that are assigned a high priority queue share 60 percent of interface bandwidth Note By default all services are assigned the medium priority queue in which they share 30 percent of the interface bandwidth Hosts Start IP End IP Select Group These settings are not applicable to a priority profile Bandwidth Allocation Min Bandwidth Max Bandwidth Diffserv QoS Remark Enter a DSCP value in the range of 0 through 63 Packets are marked with this value Leave this field blank to disable packet marking 4 Click Apply to save your settings The profile is added to the List Of QoS Profiles table on the QoS screen gt To edit a QoS profile 1 In the Custom Services table click the Edit table button to the right of the profile that you want to edit The Edit QoS screen displays This screen shows the same fields as the Add QoS screen see the previous two figures 2 Modify the settings as explained in the previous two tables 3 Click Apply to save your settings
346. nection Status The connection status can be either Connected or Disconnected IP Address Subnet Mask Gateway DNS Server The addresses that were automatically detected see Automatically Detecting and Connecting on page 25 or that you have configured on the WAN ISP Settings screen see Manually Configure the Internet Connection on page 28 DHCP Server The DHCP server that was automatically detected This field is displayed only when your ISP does not require a login and the IP address is acquired dynamically from your ISP You have configured these settings on the WAN ISP Settings screen see Manually Configure the Internet Connection on page 28 Lease Obtained The time when the DHCP lease was obtained Lease Duration The period that the DHCP lease remains in effect Depending on the type of connection any of the following buttons might be displayed on the Connection Status screen e Renew Click to renew the DHCP lease e Release Click to disconnect the DHCP connection e Disconnect Click to disconnect the static IP connection Monitoring System Access and Performance 286 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices and DHCP Log The LAN Groups screen shows the network database which is the Known PCs and Devices table that contains all IP devices that the VPN firewall has discovered on the local network The LAN Setup screen lets you access
347. nformation about creating bandwidth profiles see Create Bandwidth Profiles on page 118 Note A schedule narrows down the period during which a firewall rule is applied For information about specifying schedules see Set a Schedule to Block or Allow Specific Traffic on page 121 Firewall Protection 111 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Customized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services For example web servers serve web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC 1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the VPN firewall already holds a list of many service port numbers you are not limited to these choices Use the Services screen to add additional services and applications to the list for
348. ng to prevent the VPN firewall from responding to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP flood Select the Block TCP flood check box to enable the VPN firewall to drop all invalid TCP packets and to protect the VPN firewall from a SYN flood attack A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN synchronize requests to a target system When the system responds the attacker does not complete the connections thus leaving the connection half open and flooding the server with SYN messages No legitimate connections can then be made By default the Block TCP flood check box is cleared Firewall Protection 107 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 20 Attack Checks screen settings continued Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than 20 simultaneous active UDP connections from a single device on the LAN By default the Block UDP flood check box is cleared A UDP flood is a form of denial of service attack that can be initiated when one device sends a large number of UDP packets to random ports on a remote host As a result the distant host does the following 1 Checks for the application listening at that port 2 Sees that no application is listening at that port 3 Repli
349. ng Description Log Options Log Identifier Enter the name of the log in the Log Identifier field The Log Identifier is a mandatory field used to identify which device sent the log messages The identifier is appended to the log messages The default identifier is SRX5308 Routing Logs From the Accepted Packets and Dropped Packets columns select check boxes to specify which traffic is logged LAN to WAN LAN to DMZ DMZ to WAN WAN to LAN DMZ to LAN WAN to DMZ System Logs Select the check boxes to specify which system events are logged Change of Time by NTP Logs a message when the system time changes after a request from an NTP server Login Attempts Logs a message when a login is attempted Both successful and failed login attempts are logged Secure Login Attempts Logs a message when a secure login is attempted Both successful and failed secure login attempts are logged e Reboots Logs a message when the VPN firewall has been rebooted through the web management interface No message is logged when the reset button has been pushed to reboot the VPN firewall All Unicast Traffic All incoming unicast packets are logged All Broadcast Multicast Traffic All incoming broadcast and multicast packets are logged e WAN Status WAN link status related events are logged Resolved DNS Names All resolved DNS names are logged VPN All VPN events are logged Other Event
350. ngs continued Setting Description SPl Outgoing The Security Parameters Index SPI for the outbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 Integrity Algorithm From the drop down list select one of the following two algorithms to be used in the VPN header for the authentication process SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Key In The integrity key for the inbound policy The length of the key depends on the selected integrity algorithm MD5 Enter 16 characters e SHA 1 Enter 20 characters Key Out The integrity key for he outbound policy The length of the key depends on the selected integrity algorithm MD5 Enter 16 characters e SHA 1 Enter 20 characters Auto Policy Parameters Note These fields apply only when you select Auto Policy as the policy type SA Lifetime The lifetime of the security association SA is the period or the amount of transmitted data after which the SA becomes invalid and needs to be renegotiated From the drop down list select how the SA lifetime is specified Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm Fr
351. nostics Utilities on page 289 293 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Basic Functioning After you turn on power to the VPN firewall the following sequence of events should occur 1 When power is first applied verify that the Power LED is on 2 After approximately 2 minutes verify that a The Test LED is no longer lit b The left LAN port LEDs are lit for any local ports that are connected c The left WAN port LEDs are lit for any WAN ports that are connected If a port s left LED is lit a link has been established to the connected device If a port is connected to a 1000 Mbps device verify that the port s right LED is green If the port functions at 100 Mbps the right LED is amber If the port functions at 10 Mbps the right LED is off If any of these conditions do not occur see the appropriate following section Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on make sure that the power cord is correctly connected to your VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet If the error persists you have a hardware problem and should contact NETGEAR Technical Support Test LED Never Turns Off When the VPN firewall is powered on the Test LED turns on for approximately 2 minutes and then turns off when the VPN firewall has completed its initialization If the Test LED remains on there is a fault within th
352. ns the data that are explained in the following table These fields are explained in more detail in Table 38 on page 162 Table 37 IKE Policies screen information Item Description Name The name that identifies the IKE policy When you use the VPN Wizard to set up a VPN policy an accompanying IKE policy is automatically created with the same name that you select for the VPN policy Note The name is not supplied to the remote VPN endpoint Mode The exchange mode Main or Aggressive Local ID The IKE ISAKMP identifier of the VPN firewall The remote endpoint needs to have this value as its remote ID Remote ID The IKE ISAKMP identifier of the remote endpoint which needs to have this value as its local ID Encr The encryption algorithm that is used for the IKE security association SA This setting needs to match the setting on the remote endpoint Auth The authentication algorithm that is used for the IKE SA This setting needs to match the setting on the remote endpoint DH The Diffie Hellman DH group that is used when exchanging keys This setting needs to match the setting on the remote endpoint gt To delete one or more IKE polices 1 Select the check box to the left of the policy that you want to delete or click the Select All table button to select all IKE policies Virtual Private Networking Using IPSec Connections 160 2 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5
353. nt dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing Network Planning for Multiple WAN Ports 314 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior Single Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance The gateway WAN port needs to act as the responder 10 5 6 0 24 Road Warrior Example Single WAN Port Client B _ Gateway A WAN IP WAN IP 10 5 6 1 FQDN 0 0 0 0 bzrouter dyndns org VPN Router at employer s gt main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 190 The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic an FQDN needs to be used If the IP address is fixed an FQDN is optional VPN Road Warrior Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active WAN port port WAN1 in the following figure because the IP address of the remote PC client is not known in advance The gateway WAN port needs to act as a responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports Before Rollover Client B
354. ntent Filtering Services DISS To UCTS IP Groups Profile Name QoS Type Help Priority Action Maximize Through IP Precedence High edit Normal Service DSCP 2 Default Edit Figure 63 Select all Delete The screen displays the List of QoS Profiles table with the user defined profiles 2 Under the List of QoS Profiles table click the Add table button The Add QoS Profile screen displays Add QoS Profile Figure 64 Operation succeeded Profile Name Re Mark F Qos IP Precedence QoS Value For IP Precedence 0 7 DSCP 1 63 QoS Priority 3 Enter the settings as explained in the following table Table 23 Add QoS Profile screen settings Setting Description Profile Name A descriptive name of the QoS profile for identification and management purposes Re Mark Select the Re Mark check box to set the differentiated services DiffServ mark in the Type of Service ToS byte of an IP header by specifying the QoS type IP precedence or DHCP and QoS value If you clear the Re Mark check box which is the default setting the QoS profile is specified only by the QoS priority QoS Type From the QoS drop down list select one of the following traffic classification methods e IP Precedence A legacy method that sets the priority in the ToS byte of an IP header DSCP A method that sets the Differentiated Services Code Point DSCP in the Differentiated S
355. nternet for services that you have not yet defined gt To expose one of the PCs on your LAN or DMZ as this host 1 Create an inbound rule that allows all protocols 2 Place the rule below all other inbound rules See an example in the following figure A WARNING For security NETGEAR strongly recommends that you avoid creating an exposed host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Firewall Protection 104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security OR PDE DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced Operation succeeded Default Outbound Policy Apply Outbound Services A Help QoS Bandwidth Filter LAN Users WAN Users Profile Profile Log Action Service Name 192 168 124 1 REAL AUDIO Allow Always 132 168 124 589 ANY NONE NONE Never up oown edit Allow by Tacacs schedule 2 ANY 195 125 53 109 NONE NONE Always up Soom edit else block select all Delete e Enable O Disable add Service LAN Server IP LAN WAN Qos Bandwidth L Name Filter Address Users Users er Profile log Action NONE Never ue oovn edie Allow 392 168 1 14 ANY NONE _ Always oan FS Falah Oki i d I i 192 168 0 50
356. ocal authentication make sure that there is at least one external administrative user otherwise access to the VPN firewall is blocked If you change local authentication click Apply in the Domain screen to save your settings gt To delete one or more domains 1 2 In the List of Domains table select the check box to the left of the domain that you want to delete or click the Select All table button to select all domains You cannot delete a default domain Click the Delete table button Edit Domains gt To edit a domain 1 2 Select Users gt Domains The Domains screen displays see Figure 136 on page 221 In the Action column of the List of Domains table click the Edit table button for the domain that you want to edit The Edit Domains screen displays This screen is very similar to the Add Domains screen see the previous figure Modify the settings as explained in the previous table You cannot modify the Domain Name and Authentication Type fields Click Apply to save your changes The modified domain is displayed in the List of Domains table Note You cannot edit the geardomain default domain Managing Users Authentication and Certificates 223 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls Like the default dom
357. ol e TCP e UDP ICMP ICMP Type A numeric value that can range between 0 and 40 For a list of ICMP types see http www iana org assignments icmp parameters This field is enabled only when you select ICMP from the Type drop down list Start Port The first TCP or UDP port of a range that the service uses This field is enabled only when you select TCP or UDP from the Type drop down list Finish Port The first TCP or UDP port of a range that the service uses If the service uses only a single port number enter the same number in the Start Port and Finish Port fields This field is enabled only when you select TCP or UDP from the Type drop down list 3 Click Apply to save your settings The new custom service is added to the Custom Services Table gt To edit a service 1 In the Custom Services table click the Edit table button to the right of the service that you want to edit The Edit Service screen displays Operation succeeded Name Traceroute Type TCP ICMP Type Start Port End Port f3 Figure 60 2 Modify the settings that you wish to change see the previous table 3 Click Apply to save your changes The modified service is displayed in the Custom Services Table Firewall Protection 113 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To delete one or more services 1 In the Custom Services table select the check box to the left of the service th
358. olume increasing 245 limiting LAN traffic 268 limiting WAN traffic 265 reducing 243 viewing by protocol 266 traps SNMP 255 troubleshooting basic functioning 294 browsers 296 configuration settings using sniffer 295 date and time 300 ISP connection 296 LEDs 294 295 NTP 300 remote management 253 testing the LAN path 298 testing your setup 299 time out error 296 using the utilities 289 web management interface 295 trusted certificates 235 236 trusted domains 126 Two Factor Authentication WiKID CHAP and PAP 220 222 overview 341 344 Type of Service See ToS TZO com 42 45 U UDP flood blocking 108 time out 110 upgrading firmware 259 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 UPnP Universal Plug and Play configuring 132 user accounts configuring 227 user database 172 user name default 21 user portal 217 user types 228 233 users active VPN users 281 administrator admin settings 248 250 assigned groups 228 login policies 229 232 passwords and login time out changing 233 users policies SSL VPN 210 215 V VCI vendor class identifier 31 versions firmware 275 videoconferencing DMZ port 72 from restricted address 101 virtual LAN See VLAN Virtual Private Network Consortium VPCN 13 136 virtual private network See VPN tunnels VLANs configuring and assigning 57 63 DHCP options 58 DHCP server and DHCP relay configuring 61 LDAP server configuring 63 overview 55 port m
359. om the Bandwidth Allocation drop down list Start IP The IP address for a single IP address or the start IP address for an IP address range End IP The end start IP address for an IP address range Select Group From the drop down list select the LAN group to which the profile is applied For information about LAN groups see Manage Groups and Hosts LAN Groups on page 67 Bandwidth Allocation From the drop down list and specify how the bandwidth is allocated e Shared The bandwidth is shared among all members of the group e Individual The bandwidth is allocated to each member of the group Min Bandwidth Enter the minimum bandwidth in Kbps that is allocated to the host The default value is 0 Kbps Max Bandwidth Enter the maximum bandwidth in Kbps that is allocated to the host The default value is 100 Kbps Diffserv QoS Remark Enter a DSCP value in the range of 0 through 63 Packets are marked with this value Leave this field blank to disable packet marking 4 Click Apply to save your settings The profile is added to the List Of QoS Profiles table on the QoS screen Connecting the VPN Firewall to the Internet 49 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To adda priority QoS profile 1 Select Network Configuration gt QoS The QoS screen displays 2 Under the List of QoS Profiles table click the Add table button The Add QoS screen displays T
360. om the drop down list select one of the following five algorithms to negotiate the security association SA e DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm AES 128 Advanced Encryption Standard AES with a 128 bits key size AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Integrity Algorithm From the drop down list select one of the following two algorithms to be used in the VPN header for the authentication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting e MD5 Hash algorithm that produces a 128 bit digest Virtual Private Networking Using IPSec Connections 171 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40 Add New VPN Policy screen settings continued Setting Description PFS Key Group Select this check box to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the drop down list The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the drop down list select one of the following three strengths Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit Select IKE Policy Select an existing IKE policy that defines the characteristics of the Phase 1 negotiation Click the View Selected button to display the selected IKE po
361. ommunity string Note A subnet mask of 255 255 255 255 or 0 0 0 0 is not supported Port The SNMP trap port of the SNMP manager that is allowed to receive the VPN firewall s SNMP traps The default port number is 162 Community The community string to which the SNMP agent belongs 3 Click the Add table button The SNMP configuration is added to the SNMP Configuration table gt To edit an SNMP configuration 1 On the SNMP screen see the previous figure click the Edit button in the Action column for the SNMP configuration that you want to modify The Edit SNMP Configuration screen displays Edit SNMP Configuration Figure 155 Operation succeeded 1P Address i7z az0 24 fiz Subnet Mask f2ss zss fo_ Port Community jtet 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings gt To delete one or more SNMP configuration entries 1 On the SNMP screen see Figure 154 on page 254 select the check box to the left of the SNMP configuration that you want to delete or click the Select All table button to select all SNMP configurations 2 Click the Delete table button Network and System Management 255 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the VPN Firewall s SNMP System Information The following VPN firewall identification information is available to an SNMP manager system contact system location and system
362. ompromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports For information about how to enable the DMZ port see Configure and Enable the DMZ Port on page 72 For the procedures on how to configure DMZ traffic rules see Set DMZ WAN Rules on page 95 Exposed Hosts Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined For an example of how to set up an exposed host see LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host on page 104 VPN Tunnels The VPN firewall supports up to 125 site to site IPSec VPN tunnels and up to 50 dedicated SSL VPN tunnels Each tunnel requires extensive processing for encryption and authentication thereby increasing traffic through the WAN ports For information about IPSec VPN tunnels see Chapter 5 Virtual Private Networking Using IPSec Connections For information about SSL VPN tunnels see Chapter 6 Virtual Private Networking Using SSL Connections Use QoS and Bandwidth Assignment to Shift the Traffic Mix By specifying QoS and bandwidth profiles and assigning these profiles to outbound and inbound firewall rules you can shift the traffic mix to aim for optimum performance of the VPN firewall Assign QoS Profiles The QoS profile s
363. on providing increased data rate and increased system reliability e Built in four port 10 100 1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources and support for up to 200 000 internal or external connections e Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec VPN tunnels and up to 50 concurrent SSL VPN tunnels e Bundled with a single user license of the NETGEAR ProSafe VPN Client software VPNO1L e Advanced stateful packet inspection SPI firewall with multi NAT support e Quality of service QoS and SIP 2 0 support for traffic prioritization voice and multimedia e Extensive protocol support e Easy web based wizard setup for installation and management e One console port for local management e SNMP manageable optimized for the NETGEAR ProSafe Network Management Software NMS100 e Front panel LEDs for easy monitoring of status and activity e Flash memory for firmware upgrade e Internal universal switching power supply e One U rack mountable using the rack mounting kit Quad WAN Ports for Increased Reliability and Outbound Load Balancing The VPN firewall provides four broadband WAN ports These WAN ports allow you to connect additional broadband Internet lines that can be configured to e Load balance between up to four lines for maximum bandwidth efficiency e Provide backup and rollover if one line is inoperable ensuring
364. on succeeded Username guest Deny Login from Defined Addresses Allow Login only from Defined Addresses Otelp Source Address Type Network Address IP Address Mask Length go IP Address 192 168 199 44 Select All Delete Mask Length Source Address Type Network Address IP Address 0 32 Add es Oasa Add Defined Addresses Figure 143 4 In the Defined Addresses Status section of the screen select one of the following radio buttons e Deny Login from Defined Addresses Deny logging in from the IP addresses in the Defined Addresses table e Allow Login only from Defined Addresses Allow logging in from the IP addresses in the Defined Addresses table 5 Click Apply to save your settings Managing Users Authentication and Certificates 230 6 7 8 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Add Defined Addresses section of the screen add an address to the Defined Addresses table by entering the settings as explained in the following table Table 59 Defined addresses settings Setting Description Source Address Type Select the type of address from the drop down list e IP Address A single IP address e IP Network A subnet of IP addresses You need to enter a netmask length in the Mask Length field Network Address IP Depending on your selection of the Source Address Type drop down list enter the Address IP address or the network address
365. ons Any The rule applies to all PCs and devices on your LAN Single address The rule applies to the address of a particular PC Address range The rule applies to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the network database which is described in Manage the Network Database on page 68 PCs and network devices are entered into the network database by various methods that are described in Manage Groups and Hosts LAN Groups on page 67 WAN users You can specify which Internet locations are covered by an inbound rule based on their IP address Any The rule applies to all Internet IP addresses Single address The rule applies to a single Internet IP address Address range The rule applies to a range of Internet IP addresses Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this schedule You specify the days of the week and time of day for each schedule For more information see Set a Schedule to Block or Allow Specific Traffic on page 121 QoS profile You can define QoS profiles and then apply them to inbound rules to regulate the priority of traffic For information abo
366. or PPPoE your ISP requires an initial login Enter the settings as explained in the following table Table 3 PPTP and PPPOE settings Setting Description Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this radio button and enter the following settings Account Name_ The account name is also known as the host name or system name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require you to enter your full email address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISP s domain name You can leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in My IP Address The IP address assigned by the ISP to make the connection with the ISP server Connecting the VPN Firewall to the Internet 29 T ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3 PPTP and PPPOE settings continued Setting Description Austria PPTP Server IP The IP address of the PPTP server continued Address Other PPPoE I
367. or dynamic If the IP address is dynamic you need to use an FQDN If the IP address is fixed an FQDN is optional VPN Telecommuter Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active gateway WAN port port WAN1 in the following figure because the IP address of the remote NAT router is not known in advance The gateway WAN port needs to act as the responder Network Planning for Multiple WAN Ports 319 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 10 5 6 0 24 Telecommuter Example Dual WAN Ports Before Rollover Client B WAN 1 IP NAT Router B Gateway A bzrouter1 dyndns org WAN IP i Lan r E dJi E A 0 0 0 0 i 10 5 6 1 WAN2 port inactive P VPN Router WAN2 IP N A NAT Router atemployers Fully Qualified Domain Names FQDN t telecommuter s Remote PC main office required for Fixed IP addresses homeoffiee running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 199 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you always need to use an FQDN because the active WAN port could be either WAN1 or WAN2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in the following figure and the remote PC needs to
368. or information about connection types see Configure the Internet Connections on page 24 Connection State The connection state can be either Connected or Not Connected depending on whether the WAN port is physically connected to a modem or router For information about connecting a WAN port see the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide WAN Connection Type The detected type of Internet connection that is used on this port The WAN connection type can be DSL ADSL CableModem T1 or T3 Upload Connection Speed The maximum upload speed that is provided by your ISP Download Connection Speed The maximum download speed that is provided by your ISP Monitoring System Access and Performance 278 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69 Detailed S tatus screen information continued Item Description IP Address The IP address of the WAN port Subnet Mask The subnet mask of the WAN port Gateway The IP address of the gateway Primary DNS Server The IP address of the primary DNS server Secondary DNS Server The IP address of the secondary DNS server These settings are either obtained dynamically from your ISP or specified by you on the WAN ISP Settings screen for this port see Manually Configure the Internet Connection on page 28 MAC Address The default MAC address for this po
369. or organization is involved e Auto Some settings for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange Protocol to perform negotiations between the two VPN endpoints the local ID endpoint and the remote ID endpoint You still need to manually enter all settings on the remote VPN endpoint unless the remote VPN endpoint also has a VPN Wizard Virtual Private Networking Using IPSec Connections 165 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition a certification authority CA can also be used to perform authentication see Manage Digital Certificates on page 234 To use a CA each VPN gateway needs to have a certificate from the CA For each certificate there is both a public key and a private key The public key is freely distributed and is used by any sender to encrypt data intended for the receiver the key owner The receiver then uses its private key to decrypt the data without the private key decryption is impossible The use of certificates for authentication reduces the amount of data entry that is required on each VPN endpoint VPN Policies Screen The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable policies or delete them entirely These are the rules for VPN policy use e Traffic covered by a policy is automatically sent via a VPN tunnel e Wh
370. ork resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH request At that point the remote user needs to provide authentication information such as a user name and password or some encrypted response using his or her user name and password information The gateway then attempts to verify this information first against a local user database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server gt To configure primary and backup RADIUS servers 1 Select VPN gt IPSec VPN gt RADIUS Client The RADIUS Client screen displays Virtual Private Networking Using IPSec Connections 174 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 L PN SSLYPN Certificates Connection Status IKE Policies PN Policies YPN Wizard Mode Config GESIE SIS relp Do you want to enable a Primary RADIUS Server Primary Server IP Address assa Jfa Secret Phrase aa AASR I O O O O O Identifier SRXS308 Yes O No Help Do you want to enable a Backup RADIUS Server Backup Server IP Address Yes No Figure 108 Secret Phrase Backup Server NAS Identifier SR 5308 Time out period Sec Maximum Retry Count a Complete the settings as explained the following table Table 42 RADIUS Client screen settings Settings Description Primary RADIUS Server Select the Yes r
371. ote If you select the default NTP servers or if you enter a custom server FQDN the VPN firewall determines the IP address of the NTP server by performing a DNS lookup You need to configure a DNS server address on a WAN ISP Settings screen see Manually Configure the Internet Connection on page 28 before the VPN firewall can perform this lookup Network and System Management 262 Monitoring System Access and Performance This chapter describes the system monitoring features of the VPN firewall You can be alerted to important events such as changes in WAN port status WAN traffic limits reached hacker probes and login attempts dropped packets and more You can also view status information about the firewall WAN ports LAN ports active VPN users and tunnels and more In addition the diagnostics utilities are described Note To receive logs by email you need to configure the email notification server see Activate Notification of Events Alerts and Syslogs on page 269 This chapter contains the following sections Enable the WAN Traffic Meter e Enable the LAN Traffic Meter e Activate Notification of Events Alerts and Syslogs e View Status and Log Screens Use the Diagnostics Utilities Enable the WAN Traffic Meter If your ISP charges by traffic volume over a given period of time or if you want to study traffic types over a period of time you can activate the traffic meter for one or more WAN ports gt
372. ou can change the default policy of Allow Always to Block Always to block all outbound traffic which then allows you to enable only specific services to pass through the VPN firewall gt To change the default outbound policy 1 Select Security gt Firewall The Firewall submenu tabs display with the LAN WAN Rules screen in view The following figure shows some examples Firewall Protection 91 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration Security Port Triggering UPnP Bandwidth Profile Content Filtering PUR OLTI DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced Operation succeeded Default Outbound Policy Block Always Apply Help Service Qos Bandwidth N Filter LAN Users WAN Users Profile Profile 92 16 2 ReaL auoro Allow Always Bre ANY NONE NONE Never up oown edit log Action TACACS sche ule 2 ANY 195 125 53 109 NONE NONE Always u own Edit p else block Select All Delete oO Enable O Disable Add Help Service LAN Server IP LAN WAN Qos Bandwidth Name Fiter Address Users Users Pestination profile Profile 0 remote anew 192 168 1 14 ANY WANL NONE None Never Mup oown Medic ways Select all Delete Enable O Disable Add Log Action Figure 42 2 Next to Default Outbound Policy select Block Always from the drop down list 3 Next to the drop down list click the Apply table button
373. ou need a fully qualified domain name FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address e For load balancing mode you might still need a fully qualified domain name FQDN either for convenience or if you have a dynamic IP address Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the DDNS service does not work because private addresses are not routed on the Internet gt To configure DDNS 1 Select Network Configuration gt Dynamic DNS The Dynamic DNS screen displays see the following figure The WAN Mode section on the screen reports the currently configured WAN mode for example Single Port WAN1 Load Balancing or Auto Rollover Only those options that match the configured WAN mode are accessible on the screen 2 Select the submenu tab for your DDNS service provider e Dynamic DNS which is shown in the following figure for DynDNS org e DNS TZO for TZO com e DNS Oray for Oray net e 3322 DDNS for 3322 org Connecting the VPN Firewall to the Internet 43 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration Current WAN Mode Single Port WAN1 i WAN1 Dynamic DNS Status service is not enabled Configured DDNS Host and Domain _ E none Name Example yourname dyndns org Username 7 password Jn Use wildcards Update every 30 days
374. oup 2 1024 bit 24 hours 3DES SHA 1 6 hours DH Group 2 1024 bit Enabled Figure 78 2 Complete the settings as explained the following table Table 29 IPSec VPN Wizard settings for a gateway to gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button The local WAN port s IP address or Internet name appears in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key needs to be entered both here and on the remote VPN gateway This key needs to have a minimum length of 8 characters and should not exceed 49 characters This VPN tunnel will use following local WAN Interface From the drop down list select one of the four WAN interfaces of the VPN firewall to specify which WAN interface the VPN tunnel uses as the local endpoint Enable RollOver If you have configured the VPN firewall to function in WAN auto rollover mode see Configure the Auto Rollover Mode and Failure Detection Method on page 34 select the Enable RollOver check box Then from the corresponding drop down list select the backup WAN interface After
375. ouped table as an example Firewall Protection 114 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit IP Group Operation succeeded IP Group Name IP Group Type WAN Group Add IP Address IP Address IP Address 10 55 3 201 172 7 198 32 172 198 100 455 ge Select All Delete Figure 62 5 Inthe IP Address fields type an IP address 6 Click the Add table button to add the IP address to the IP Addresses Grouped table Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table 8 Click the Edit table button to return to IP Groups screen aa gt To edit an IP group 1 In the Custom IP Groups table click the Edit table button to the right of the IP group that you want to edit The Edit IP Group screen displays 2 Inthe Edit New Custom IP Group section of the screen modify the settings that you wish to change e You can change the group name e You can change the group type e You can delete an IP address from the IP Addresses Grouped table by selecting the check box to the left of the IP address that you want to delete and then clicking the Delete table button You can delete all IP addresses by selecting the Select All table button and clicking the Delete table button e You can add IP addresses to the IP Addresses Grouped table see step 4 step 5 and step 6 in the previous procedure 3 Click the Edit table button to return to I
376. outing Manage Virtual LANs and DHCP Options A local area network LAN can generally be defined as a broadcast domain Hubs bridges or switches in the same physical segment or segments connect all endpoints Endpoints can communicate with each other without the need for a router Routers connect LANs together routing the traffic to the appropriate port A virtual LAN VLAN is a local area network with a definition that maps workstations on some basis other than geographic location for example by department type of user or primary application To enable traffic to flow between VLANs traffic needs to go through a router just as if the VLANs were on two separate LANs A VLAN is a group of PCs servers and other network resources that behave as if they were connected to a single network segment even though they might not be For example all marketing personnel might be spread throughout a building Yet if they are all assigned to a single VLAN they can share resources and bandwidth as if they were connected to the same segment The resources of other departments can be invisible to the marketing VLAN members accessible to all or accessible only to specified individuals depending on how the IT manager has set up the VLANs VLANs have a number of advantages e They make it easy to set up network segmentation Users who communicate most frequently with each other can be grouped into common VLANs regardless of physical location Eac
377. over the VPN tunnel collapses and needs to be reestablished using the new WAN IP address However you can configure automatic IPSec VPN rollover to ensure that an IPSec VPN tunnel is reestablished Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN1 IP WANT IP N A Gateway _netgear dyndns org Gateway WAN1 port inactive gt WAN2 port inactive S a A X a E EE netgear dyndns org IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure 188 f e Dual WAN ports in load balancing mode A dual WAN port load balancing gateway configuration is the same as a single WAN port configuration when you specify the IP address of the VPN tunnel endpoint Each IP address is either fixed or dynamic based on the ISP You need to use FQDNs when the IP address is dynamic and FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing Gateway herey i IP addresses of WAN ports same as single netgear1 dyndns org p WAN port case use of fully qualified domain names required for dynamic IP addresses and optional for fixed IP addresses netgear2 dyndns org VPN Router WAN2 IP Figure 189 VPN Road Warrior Client to Gateway The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall such as an VPN firewall Single gateway WAN port e Redunda
378. owing figure shows parts of the screen Monitoring System Access and Performance 276 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring Detailed status 3 LAN Port 1 Configuration VLAN Profile defaultVlan VLAN ID 1 MAC Address 00 00 00 00 00 01 IP Address 192 168 1 1 Subnet Mask 255 255 255 0 DHCP Status DHCP Enabled i LAN Port 2 Configuration _ z VLAN Profile SalesVLAN VLAN ID 2 MAC Address 00 00 00 00 00 01 IP Address 192 174 60 22 Subnet Mask 255 255 255 0 DHCP Status DHCP Disabled LAN Port 3 Configuration i LAN Port 4 Configuration Not shown in this example f Not shown in this example WAN Mode Single Port WAN State DOWN NAT Enabled Connection Type DHCP Connection State Not Connected WAN Mode Single Port WAN State UP NAT Enabled Connection Type Static IP Connection State Connected WAN Connection Type Upload Connection Speed Download Connection Other 1000000 Kbps WAN Connection Type Upload Connection Speed Download Connection Other 1000000 Kbps 1000000 Kbps 1000000 Kbps Speed IP Address 10 34 116 22 Subnet Mask 255 255 255 248 Gateway 10 34 116 23 Primary DNS Server 10 151 34 170 Secondary DNS Server 0 0 0 0 MAC Address 00 00 00 00 00 02 Speed IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Gateway 0 0 0 0 Primary DNS Server 0 0 0 0 Secondary ONS Server 0 0 0 0 MAC Address 00 00 00 00 00 03
379. owser Operation succeeded Username guest C Disable Login Deny Login from WAN Interface Figure 142 In the User Login Policies section of the screen make the following selections e To prohibit this user from logging in to the VPN firewall select the Disable Login check box e To prohibit this user from logging in from the WAN interface select the Deny Login from WAN Interface check box In this case the user can log in only from the LAN interface Managing Users Authentication and Certificates 229 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note For security reasons the Deny Login from WAN Interface check box is selected by default for guests and administrators The Disable Login check box is disabled masked out for administrators 4 Click Apply to save your settings Configure Login Restrictions Based on IP Address gt To restrict logging in based on IP address 1 Select Users gt Users The Users screen displays see Figure 140 on page 227 2 Inthe Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs display with the Login Policies screen in view 3 Click the by Source IP Address submenu tab The By Source IP Address screen displays The following figure shows an IP address in the Defined Addresses table as an example Login Policies MRT R ER GLC tea by Client Browser Operati
380. p 2 Complete the settings as explained the following table Virtual Private Networking Using IPSec Connections 141 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30 IPSec VPN Wizard settings for a client to gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the VPN Client radio button The default remote FQDN srx_remote com and the default local FQDN srx_local com appear in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key needs to be entered both here and on the remote VPN gateway or the remote VPN client This key needs to have a minimum length of 8 characters and should not exceed 49 characters This VPN tunnel will use following local WAN Interface From the drop down list select one of the four WAN interfaces of the VPN firewall to specify which WAN interface the VPN tunnel uses as the local endpoint Enable RollOver If you have configured the VPN firewall to function in WAN auto rollover mode see Configure the Auto Rollover Mode and Failure Detection Method on page 34 select the Enable RollOver check box Then
381. page 114 WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are e Any All Internet IP address are covered by this rule e Single address Enter the required address in the Start field e Address range Fill in the Start and End fields e IP Group Select the IP group to which the rule applies Use the IP Groups screen to assign IP addresses to groups See Create IP Groups on page 114 DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are e Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and End fields to apply the rule to a range of DMZ computers QoS Profile The priority assigned to IP packets of this service The priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The VPN firewall marks the Type of Service ToS field as defined in the QoS profiles that you create For more information see Create Quality of Service QoS Profiles on page 116 Note There is no default QoS profile on the VPN firewall After you ha
382. pare to physically connect the firewall to your cable or DSL modems and a computer Instructions for connecting the VPN firewall are in the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide Cabling and Computer Hardware Requirements For you to use the VPN firewall in your network each computer needs to have an Ethernet network interface card NIC installed and needs to be equipped with an Ethernet cable If the computer will connect to your network at 100 Mbps or higher speeds you need to use a Category 5 Cat5 cable Network Planning for Multiple WAN Ports 307 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Computer Network Configuration Requirements The VPN firewall integrates a web management interface To access the configuration screens on the VPN firewall you need to use a Java enabled web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or later Mozilla Firefox 3 or later or Apple Safari 3 or later with JavaScript cookies and SSL enabled Free browsers are readily available for Windows Macintosh and UNIX Linux For the initial connection to the Internet and configuration of the VPN firewall you need to connect a computer to the VPN firewall and the computer needs to be configured to automatically get its TCP IP configuration from the VPN firewall via DHCP The cable or DSL modem broadband access device needs to provide a standard 10 Mbps 10BASE T Ethernet interface
383. plained in the following table Table 66 Add LAN Traffic Meter Account screen settings Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account Direction From the Direction drop down list select the direction in which traffic is measured Inbound traffic Restrictions are applied to incoming traffic when the traffic limit is reached Both directions Restrictions are applied to both incoming and outgoing traffic when the traffic limit is reached Limit Enter the monthly traffic volume limit in MB The default setting is 0 MB Traffic Counter Restart Traffic Select one of the following radio buttons to specify when the traffic counter restarts Counter Restart Traffic Counter Now Select this option and click Apply at the bottom of the screen to restart the traffic counter immediately e Restart Traffic Counter at a Specific Time Restart the traffic counter at a specific time and day of the month Fill in the time fields and select the day of the month from the drop down list Send e mail report An email report is sent immediately before the counter restarts Ensure that emailing before restarting of logs is enabled on the Email and Syslog screen see Activate Notification of counter Events Alerts and Syslogs on page 269 When Limit is reached Block Traffic Select one of the following radio buttons to specify what action the VPN firewall
384. plied to the VPN firewall Test On amber during Test mode the VPN firewall is initializing After approximately startup 2 minutes when the VPN firewall has completed its initialization the Test LED goes off On amber during The initialization has failed or a hardware failure has occurred any other time Blinking amber The VPN firewall is writing to flash memory during upgrading or resetting to defaults Off The system has booted successfully LAN Ports Left LED On green The LAN port has detected a link with a connected Ethernet device Blinking green Data is being transmitted or received by the LAN port Off The LAN port has no link Right LED On green The LAN port is operating at 1000 Mbps On amber The LAN port is operating at 100 Mbps Off The LAN port is operating at 10 Mbps DMZ LED On green Port 4 is operating as a dedicated hardware DMZ port Off Port 4 is operating as a normal LAN port Introduction 15 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1 LED descriptions continued LED Activity Description WAN Ports Left LED On green The WAN port has a valid connection with a device that provides an Internet connection Blinking green Data is being transmitted or received by the WAN port Off The WAN port has no physical link that is no Ethernet cable is plugged into the VPN firewall Right LED On green The WAN port is operating at 10
385. policy by blocking all outbound traffic and then enabling only specific services to pass through the VPN firewall You do so by adding outbound services rules see LAN DMZ Outbound Services Rules on page 99 To access the LAN DMZ Rules screen 1 Select Security gt Firewall gt LAN DMZ Rules The LAN DMZ Rules screen displays Security Address Filter Port Triggering UPnP Bandwidth Profile Content Filtering LAN WAN Rules DMZ WAN Rules AF DDL TIJ Attack Checks Session Limit Advanced Service Name Filter LAN Users DMZ Users Log Action ge Select All Delete Enable oO Disable Add Service Name Filter DMZ Users LAN Users Log Action Select All Delete Enable O Disable Add Figure 48 To make changes to an existing outbound or inbound service rule In the Action column to the right of the rule click one of the following table buttons e Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit LAN DMZ Outbound Service screen identical to Figure 49 on page 99 or Edit LAN DMZ Inbound Service screen identical to Figure 50 on page 100 displays containing the data for the selected rule e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank Firewall Protection 98 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To delete or disable one or more rules 1 Select
386. port number The options are Single address Enter the required address in the Start field to apply the rule to a single device on your LAN Address range Enter the required addresses in the Start and End fields to apply the rule to a range of devices Send to DMZ Server The DMZ server address determines which computer on your network is hosting this service rule You can also translate this address to a port number Translate to Port Number You can enable this setting and specify a port number if you want to assign the LAN server or DMZ server to a specific port WAN Destination IP Address The setting that determines the destination IP address applicable to incoming traffic This is the public IP address that maps to the internal LAN server This address can be either the address of one of the WAN interfaces or another public IP address when you have a secondary WAN address configured You also have the option to enter an address range Enter the required addresses in the Start and End fields to apply the rule to a range of devices Firewall Protection 88 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19 Inbound rules overview continued Setting Description LAN Users The settings that determine which computers on your network are affected by this rule The options are e Any All PCs and devices on your LAN e Single address Enter the required address to appl
387. portal layout b Create one or more groups for your SSL VPN users When you define the SSL VPN policies that determine network resource access for your SSL VPN users you can define global policies group policies or individual policies Because you need to assign an authentication domain when creating a group the group is created after you have created the domain c Create one or more SSL VPN user accounts Virtual Private Networking Using SSL Connections 197 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Because you need to assign a group when creating a SSL VPN user account the user account is created after you have created the group 3 For port forwarding define the servers and services Configure Applications for Port Forwarding on page 202 Create a list of servers and services that can be made available through user group or global policies You can also associate fully qualified domain names FQDNs with these servers The VPN firewall resolves the names to the servers using the list you have created 4 For SSL VPN tunnel service configure the virtual network adapter see Configure the SSL VPN Client on page 205 For the SSL VPN tunnel option the VPN firewall creates a virtual network adapter on the remote PC that then functions as if it were on the local network Configure the portal s SSL VPN client to define a pool of local IP addresses to be issued to remote clients as well as DNS addresses Declare
388. r Messages 339 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 118 DHCP Logs continued Explanation Message 1 The DHCP server is listening on eth0 1 Message 2 Release of the currently assigned IP address from the host by the DHCP server Message 3 DHCP broadcast by the host is discovered by the DHCP server Message 4 The DHCP server offers a new IP address to the host s current network interface Message 5 Two new leases are written to the lease file Message 6 DHCP is requested to assign the new IP address by the host Message 7 DHCP acknowledgment to the current network interface from the server on assignment of the new IP address Recommended Action None System Logs and Error Messages 340 Two Factor Authentication This appendix provides an overview of Two Factor Authentication and an example of how to implement the WiKID solution This appendix contains the following sections e Why Do I Need Two Factor Authentication NETGEAR Two Factor Authentication Solutions Why Do I Need Two Factor Authentication In today s market online identity theft and online fraud continue to be one of the fast growing cyber crime activities used by many unethical hackers and cyber criminals to steal digital assets for financial gains Many companies and corporations are losing millions of dollars and running into risks of revealing their trade secrets and other proprietary information
389. r load balancing mode and is also required for VPN tunnel failover When the WAN ports function in load balancing mode you cannot configure VPN tunnel failover An FQDN is optional when the WAN ports function in load balancing mode if the IP addresses are static but mandatory if the WAN IP addresses are dynamic See Virtual Private Networks on page 313 for more information about the IP addressing requirements for VPNs in the dual WAN modes For information about how to select and configure a Dynamic DNS service for resolving FQDNs see Configure Dynamic DNS on page 42 For information about WAN mode configuration see Configure the WAN Mode on page 32 The following diagrams and table show how the WAN mode selection relates to VPN configuration 134 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN Auto Rollover FQDN Required for VPN Internet Same FQDN required for both WAN ports VPN Firewall WAN 1 Port Rest of VPN Firewall VPN Firewal VPN Firewall WAN Port Rollover WAN 2 Port Functions Functions Control Figure 74 WAN Load Balancing FQDN Optional for VPN Internet FQDN required for dynamic IP addresses FQDN optional for static IP addresses VPN Firewall WAN 1 Port Rest of VPN Firewall Load VPN Firewall WAN Port Balancing WAN 2 Port Functions Functions Control Figure 75 The following ta
390. r tens cee ad ad de ee heme a ae 337 DMZ tO WAN LOJ okie rece eee eed RRe edd ee ee hee ama ees 337 WAN TO LAN LOOS siart cadia nea a gah aN Ge 337 Du O LANIO US ied acta a ase ded erir ESPERAS 337 WAN O DMZ LOS so5550345 0b dive ederra h 338 Other Event LOGS cc cdandcadacddasendge ce dneeennds ANENE RSE 338 Session Limit Logs 2 24 caecccdiaccdiontdive G24s44dkq0e RR or 338 source MAC Fiter Logs iaraa tandia hee ee o a alee aa 338 Bandwidth Limit LOGS ccccc lt stan ceee deere edad bee ir iei 339 DOROP LOU Sa ee eee eon ao eee ke ee area Rene AN a mee en me Are 339 Appendix D Two Factor Authentication Why Do Need Two Factor Authentication 20005 341 What Are the Benefits of Two Factor Authentication 341 What Is Two Factor Authentication 0 0 00 eee eee 342 NETGEAR Two Factor Authentication Solutions 342 Appendix E Notification of Compliance Introduction This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 This chapter contains the following sections e What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Key Features and Capabilities e Package Contents e Hardware Features e Choose a Location for the VPN Firewall What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX53082 The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 hereafter referred to as the VPN firewall
391. rade challenge messages each responding with a hash of the other s challenge message that is calculated using a shared secret value RADIUS A network validated PAP or CHAP password based authentication method that functions with Remote Authentication Dial In User Service RADIUS MIAS A network validated PAP or CHAP password based authentication method that functions with Microsoft Internet Authentication Service MIAS which is a component of Microsoft Windows 2003 Server WiKID WiKID Systems is a PAP or CHAP key based two factor authentication method that functions with public key cryptography The client sends an encrypted PIN to the WiKID server and receives a one time pass code with a short expiration period The client logs in with the passcode See Appendix D Two Factor Authentication for more on WiKID authentication NT Domain A network validated domain based authentication method that functions with a Microsoft Windows NT Domain authentication server This authentication method has been superseded by Microsoft Active Directory authentication but is supported to authenticate legacy Windows clients Active Directory A network validated domain based authentication method that functions with a Microsoft Active Directory authentication server Microsoft Active Directory authentication servers support a group and user structure Because the Active Directory supports a multilevel hierarchy for example groups or organizatio
392. rations configurations reference cases Rollover mode Load balancing mode Fixed Allowed FQDN required Allowed VPN Road Warrior FQDN optional FQDN optional Client to Gateway Dynamic FQDN required FQDN required FQDN required Fixed Allowed FQDN required Allowed VPN Gateway to Gateway FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Telecommuter Fixed Allowed FQDN required Allowed Client to Gateway through FQDN optional FQDN optional NAT R j AREN Dynamic FQDN required FQDN required FQDN required a After a rollover all tunnels need to be reestablished using the new WAN IP address For a single WAN gateway configuration use ann FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed The situation is different in dual WAN port gateway configurations Network Planning for Multiple WAN Ports 313 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Dual WAN ports in auto rollover mode A dual WAN port auto rollover gateway configuration is different from a single WAN port gateway configuration when you specify the IP address of the VPN tunnel endpoint Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of an FQDN is always required even when the IP address of each WAN port is fixed Note When the VPN firewall s WAN port rolls
393. rator login password case sensitive password Guest user name case sensitive guest Guest login password case sensitive password Internet connection WAN MAC address Use default address WAN MTU size 1500 Port speed 10 100 1000 AutoSense Local network LAN LAN IP address 192 168 1 1 Subnet mask 255 255 255 0 RIP direction None RIP version Disabled 302 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75 VPN firewall default configuration settings continued Feature Default behavior continued RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192 168 1 2 DHCP starting IP address 192 168 1 100 Management Time zone GMT Time zone adjusted for daylight savings time Disabled SNMP Disabled Remote management Disabled Firewall Inbound communications coming in from the Internet All communication denied Outbound communications from the LAN to the Internet All communication allowed Source MAC filtering Disabled Stealth mode Enabled Respond to ping on Internet ports Disabled The following table shows the physical and technical specifications for the VPN firewall Table 76 VPN firewall physical and technical specifications Feature Specification Network protocol and standards compatibility Data and Routing Protocols TCP IP
394. reen displays for the WAN interface that you selected The following figure see shows the WAN1 Secondary Addresses screen as an example and includes one entry in the List of Secondary WAN addresses table Network Configuration Protocol Binding Dynamic DNS LAN Settings DMZ Setup Routing Qos WAN1 Secondary Addresses wani ISP Settings Advanced IP Address Subnet Mask 192 168 50 10 255 255 255 0 SelectAll l Delete Add WAN1 Secondary Addresses IP Address Subnet Mask Figure 22 The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface 4 In the Add WAN Secondary Addresses section of the screen enter the following settings IP Address Enter the secondary address that you want to assign to the WAN port e Subnet Mask Enter the subnet mask for the secondary IP address 5 Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table Repeat step 4 and step 5 for each secondary IP address that you want to add to the List of Secondary WAN addresses table gt To delete one ore more secondary addresses 1 In the List of Secondary WAN addresses table select the check box to the left of the address that you want to delete or click the Select All table button to select all addresses 2 Click the Delete table button Configure Dynamic DNS Dynamic DNS DDNS is an Internet
395. rewall s SSL VPN portal can provide two levels of SSL service to the remote user SSL VPN tunnel The VPN firewall can provide the full network connectivity of a VPN tunnel using the remote user s browser instead of a traditional IPSec VPN client The SSL capability of the user s browser provides authentication and encryption establishing a secure connection to the VPN firewall Upon successful connection an ActiveX based SSL VPN client is downloaded to the remote PC to allow the remote user to virtually join the corporate network 196 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The SSL VPN client provides a point to point PPP connection between the client and the VPN firewall and a virtual network interface is created on the user s PC The VPN firewall assigns the PC an IP address and DNS server IP addresses allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network subject to any policy restrictions that you configure SSL port forwarding Like an SSL VPN tunnel port forwarding is a web based client that is installed transparently and then creates a virtual encrypted tunnel to the remote network However port forwarding differs from an SSL VPN tunnel in several ways Port forwarding supports only TCP connections not UDP connections or connections using other IP protocols Port forwarding detects and reroutes individual data streams on the u
396. right of the bandwidth profile that you want to edit The Edit Bandwidth Profile screen displays 2 Modify the settings that you wish to change see the previous table 3 Click Apply to save your changes The modified bandwidth profile is displayed in the List of Bandwidth Profiles table gt To delete one or more bandwidth profiles 1 In the List of Bandwidth Profiles table select the check box to the left of the bandwidth profile that you want to delete or click the Select All table button to select all profiles 2 Click the Delete table button to delete the selected profile or profiles Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied Three schedules Schedule 1 Schedule 2 and Schedule3 can be defined and you can select any one of these when defining firewall rules gt To set a schedule 1 Select Security gt Schedule The Schedule submenu tabs display with the Schedule 1 screen in view Firewall Protection 121 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Port Triggering UPnP Bandwidth Profile Content Filtering EUME Schedule2 Schedule3 You want this schedule to be active on all days or Sunday specific days All Days Monday Specific Days Tuesday Wednesday Thursday Friday Saturday Do you want this schedule to be active all day or at Start Time 12 Hour 00 Minute specific times during the day
397. rks correctly test the path from your PC to a remote device From the Windows run menu type ping n 10 lt IP address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your VPN firewall listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Check to see that the network address of your PC the portion of the IP address that is specified by the netmask is different from the network address of the remote device Check that the modem or router is connected and functioning If your ISP assigned a host name system name or account name to your PC enter that name in the Account Name field on the WAN ISP Settings screen for the WAN interface that you are troubleshooting You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configure the Internet Connection on page 28 Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by allowing traffic only from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single
398. rough the WAN ports Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT The VPN firewall is programmed to recognize some of these applications and to work correctly with them but there are other applications that might not function well In some cases local PCs can run the application correctly if those PCs are used on the DMZ port Note A separate firewall security profile is provided for the DMZ port that is also physically independent of the standard firewall security component that is used for the LAN The DMZ Setup screen lets you set up the DMZ port It permits you to enable or disable the hardware DMZ port LAN port 4 see Front Panel on page 14 and configure an IP address and subnet mask for the DMZ port LAN Configuration 72 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To enable and configure the DMZ port 1 Select Network Configuration gt DMZ Setup The DMZ Setup screen displays Network Configuration WAN Settings Protocol Binding Dynamic DNS LAN Settings DMZ Setup i DMZ Port Setup Do you want to enable DMZ Port IP Address fo fo jf jf Yes Subnet Mask fo e e O No i DHCP for DMZ Connected Computers Hel Disable DHCP Server Enable DHCP Server C Enable LDAP information Domain Name cc R LDAP Server Start IP LHE H Search Base End IP LH E U i Port 0 enter 0 for default port Primary ONS
399. round the unit and through the vents in the side of the case is not restricted Provide a minimum of 25 mm or 1 inch clearance e The air is as free of dust as possible e Temperature operating limits are not likely to be exceeded Install the unit in a clean air conditioned environment For information about the recommended operating temperatures for the VPN firewall see Appendix A Default Settings and Technical Specifications Introduction 17 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using the Rack Mounting Kit Use the mounting kit for the VPN firewall to install the appliance in a rack Attach the mounting brackets using the hardware that is supplied with the mounting kit Figure 4 Before mounting the VPN firewall in a rack verify that e You have the correct screws supplied with the installation kit e The rack onto which you will mount the VPN firewall is suitably located Introduction 18 Connecting the VPN Firewall to the Internet This chapter contains the following sections Internet and WAN Configuration Tasks e Log In to the VPN Firewall e Configure the Internet Connections Configure the WAN Mode e Configure Secondary WAN Addresses e Configure Dynamic DNS e Configure WAN QoS Profiles e Configure Advanced WAN Options e What to Do Next Internet and WAN Configuration Tasks Typically the VPN firewall is installed as a network gateway to function as a combined LAN switch
400. routers and clients SNMP The VPN firewall supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 Diagnostic functions The VPN firewalll incorporates built in diagnostic functions such as ping traceroute DNS lookup and remote reboot Remote management The VPN firewall allows you to log in to the web management interface from a remote location on the Internet For security you can limit remote management access to a specified remote IP address or range of addresses Visual monitoring The VPN firewall s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall Flash memory for firmware upgrades Technical support seven days a week 24 hours a day according to the terms that are identified in the Warranty and Support information card provided with your product Introduction 13 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Package Contents The VPN firewall product package contains the following items e ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appliance e One AC power cable e Rubber feet 4 e One Category 5 Cat5 Ethernet cable e One rack mounting kit e ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Gu
401. rt for more information see the note following this table or the MAC address that you have specified on the WAN Advanced Options screen for this port For information about configuring the MAC address see Configure Advanced WAN Options on page 51 Note The default MAC addresses for the LAN and WAN ports are 00 00 00 00 00 01 shared by the LAN1 LAN2 LAN3 and LAN4 ports 00 00 00 00 00 02 unique for WAN1 port 00 00 00 00 00 03 unique for WAN2 port 00 00 00 00 00 04 unique for WANS port 00 00 00 00 00 05 unique for WAN4 port 00 00 00 00 00 06 unique for DMZ port LAN4 port if enabled View the Router Statistics Screen gt To view the Router Statistics screen 1 2 Select Monitoring gt Router Status The Status tabs display with the Router Status screen in view see Figure 166 on page 276 Click the Show Statistics option arrow in the upper right of the Router Status screen The Router Statistics screen displays Monitoring System Access and Performance 279 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Router Status Router Statistics a a a Active Users Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs The page will auto refresh in 2Seconds System up Time 1 Days 03 29 49 331405 Collisions 0 0 o o o 19006 Poll Interval Seconds e ue The following table explains the fields of the Router Statistics screen Table 70 Router Stati
402. rts 308 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Connection Information Print this page with the Internet connection information Fill in the configuration settings that are provided to you by ISP e ISP Login Name The login name and password are case sensitive and need to be entered exactly as given by your ISP For AOL customers the login name is their primary screen name Some ISPs use your full email address as the login name The service name is not required by all ISPs If you connect using a login name and password then fill in the following Login Name Password Service Name Fixed or Static IP Address If you have a static IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address Gateway IP Address Subnet Mask e ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address Secondary DNS Server IP Address e Host and Domain Names Some ISPs use a specific host or domain name such as CCA7324 A or home If you have not been given host or domain names you can use the following examples as a guide If your main email account with your ISP is aaa yyy com then use aaa as your host name Your ISP might call this your account user host computer or system name If your ISP s mail server is mail xxx yyy com then use xxx y
403. rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule can block or allow traffic between the DMZ and any external WAN IP address according to the schedule created in the Schedule screen gt To create a new outbound DMZ WAN service rule 1 In the DMZ WAN Rules screen click the Add table button under the Outbound Services table The Add DMZ WAN Outbound Service screen displays The following figure shows an example Add DM2 WAN Outbound Service Operation succeeded Service Action ALLOW always Select Schedule Schedule 1 DMZ Users Start End WAN Users Start End QoS Profile Log NAT IP Figure 46 2 Enter the settings as explained in Table 18 on page 84 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enabled Firewall Protection 96 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the DMZ is allowed Inbound rules that are configured on the LAN WAN Rules screen take precedence over inbound rules that are configured on the DMZ WAN Rules screen As a result if an inbound packet matches an inbound rule on the LAN WAN Rules screen it
404. rvice QoS Profiles on page 116 Outbound Rules Service Blocking The VPN firewall allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering Note See Enable Source MAC Filtering on page 126 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall Firewall Protection 83 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING Allowing inbound services opens security holes in your VPN firewall Enable only those ports that are necessary for your network The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens see Figure 43 on page 93 Figure 46 on page 96 and Figure 49 on page 99 The steps to configure outbound rules are described in the following sections e SetLAN WAN Rules e Set DMZ WAN Rules e Set LAN DMZ Rules Table 18 Outbound rules overview Setting Description Service The service or application to be covered by this rule If the service or application does not appear in the list you need to define it using the Services screen see Add Customized Services on page 112 Action The action for outgoing connections covered by this rule e BLOCK always e BLOCK by schedule otherwise allow e ALLOW always e ALLOW by schedule otherwise block Note Any outbound traffic that is no
405. s SSL VPN User Customers Bedi Gl Policies Default Users Select All Delete Add Figure 151 2 Inthe Action column of the List of Users table click the Edit table button for the user with the name admin The Edit User screen displays Edit User Operation succeeded Username admin User Authentication Type local Select User Type Administrator Check to Edit Password Enter Your Password eeeceeeecescoce New Password Confirm New Password Idle Timeout Figure 152 3 Select the Check to Edit Password check box The password fields become available 4 Enter the old password enter the new password and then confirm the new password Note The ideal password should contain no dictionary words from any language and should be a mixture of letters both uppercase and lowercase numbers and symbols Your password can be up to 30 characters Network and System Management 249 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5 As an option you can change the idle time out for an administrator login session Enter a new number of minutes in the Idle Timeout field The default setting is 5 minutes 6 Click Apply to save your settings 7 Repeat step 7 through step 6 for the user with the name guest Note After a factory default reset the password and time out value are changed back to password and 5 minutes respectively You can also change the administrator lo
406. s Connection Status Help Record Name Pool Start IP Pool End IP Action 172 16 100 1 172 16 100 99 EMEA Sales 172 16 200 1 72 16 200 99 edit 0 0 0 An 72 00 90 NA Sales 0 SelectAll Delete Add Figure 109 As an example the screen shows two Mode Config records with the names EMEA Sales and NA Sales e For EMEA Sales a first pool 172 16 100 1 through 172 16 100 99 and second pool 172 16 200 1 through 172 16 200 99 are shown e For NA Sales a first pool 172 25 100 50 through 172 25 100 90 a second pool 172 25 210 1 through 172 25 210 99 and a third pool 172 25 220 80 through 172 25 220 99 are shown 2 Under the List of Mode Config Records table click the Add table button The Add Mode Config Record screen displays Virtual Private Networking Using IPSec Connections 177 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Mode Config Record Operation succeeded Record Name First Pool Start IP End IP Second Pool Start IP End IP Third Pool Start IP End IP WINS Server Primary Secondary DNS Server Primary Secondary lM PFS Key Group SA Lifetime Encryption Algorithm Integrity Algorithm Local Subnet IP Address Local Subnet Mask a LWW na o_ fo_ o_ o_ fo jo _ fe_ e_ fo o_ e_He_ fo _ o_ o_ o_ fo _ fo_ o_ o_ eoe eie fo_ o_ o_ o_ o jo ee OH Group 2 1024 bit v 3600 Seconds bodet fo_ o_ o_ o_ Figure 11
407. s configured using an inbound firewall rule gt To configure NAT 1 Select Network Configuration gt WAN Settings gt WAN Mode The WAN Mode screen displays see Figure 17 on page 34 2 In the NAT Network Address Translation section of the screen select the NAT radio button 3 Click Apply to save your settings Configure Classical Routing In classical routing mode the VPN firewall performs routing but without NAT To gain Internet access each PC on your LAN needs to have a valid static Internet IP address If your ISP has allocated a number of static IP addresses to you and you have assigned one of these addresses to each PC you can choose classical routing Or you can use classical routing for routing private IP addresses within a campus environment To learn the status of the WAN ports you can view the Router Status screen see View the System Router Status and Statistics on page 275 gt To configure classical routing 1 Select Network Configuration gt WAN Settings gt WAN Mode The WAN Mode screen displays see Figure 17 on page 34 2 In the NAT Network Address Translation section of the screen select the Classical Routing radio button 3 Click Apply to save your settings Connecting the VPN Firewall to the Internet 33 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes ensure t
408. s is the default LAN IP address 192 168 1 1 For information about configuring VLAN profiles see Configure a VLAN Profile on page 59 Subnet Mask The subnet mask for this port If the VLAN is not enabled on this port the subnet mask is the default LAN IP subnet mask 255 255 255 0 For information about configuring VLAN profiles see Configure a VLAN Profile on page 59 DHCP Status The status can be either DHCP Enabled or DHCP Disabled For information about enabling DHCP for this port see Configure a VLAN Profile on page 59 WAN Info The following fields are shown for each of the four WAN port WAN Mode The WAN mode can be Single Port Load Balancing or Auto Rollover For information about configuring the WAN mode see Configure the WAN Mode on page 32 WAN State The WAN state can be either UP or DOWN depending on whether the port is connected to the Internet and whether the port is enabled For information about connecting WAN ports see Configure the Internet Connections on page 24 NAT The NAT state can be either Enabled or Disabled depending on whether NAT is enabled see Configure Network Address Translation on page 33 or classical routing is enabled see Configure Classical Routing on page 33 Connection Type The connection type can be Static IP DHCP PPPoE or PPTP depending on whether the WAN address is obtained dynamically through a DHCP server or assigned statically by you F
409. s optional Enter a WINS server IP address to specify the Windows NetBIOS server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the VPN firewall as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the VPN firewall serves as a relay LAN Configuration 74 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14 DMZ Setup screen settings continued Setting Description Enable LDAP Select the Enable LDAP information check box to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the following settings LDAP Server The IP address or name of the LDAP server Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search objects separated by commas The search objects include cn for common name e ou for organizational unit e o for organization e c for country e dc for domain For example to search the Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net Port The port number for the LDAP server The default setting
410. s to Display VPN Tunnel page Select this check box to provide full network connectivity Port Forwarding Select this check box to provide access to specific defined network services See Configure Applications for Port Forwarding on page 202 Note Any pages that are not selected are not visible from the SSL VPN portal however users can still access the hidden pages unless you create SSL VPN access policies to prevent access to these pages 4 Click Apply to save your settings The new portal layout is added to the List of Layouts table For information about how to display the new portal layout see Access the SSL Portal Login Screen on page 216 gt To edit a portal layout 1 On the Portal Layouts screen see Figure 124 on page 199 click the Edit button in the Action column for the portal layout that you want to modify The Edit Portal Layout screen displays This screen is identical to the Add Portal Layout screen see the previous figure 2 Modify the settings as explained in the previous table 3 Click Apply to save your settings Virtual Private Networking Using SSL Connections 201 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To delete one or more portal layouts 1 On the Portal Layouts screen see Figure 124 on page 199 select the check box to the left of the portal layout that you want to delete or click the Select All table button to select all layouts You cannot delete the S
411. sable 3 Click the Add table button The new IP MAC rule is added to the IP MAC Bindings table 4 Click Apply to save your changes Firewall Protection 129 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To edit an IP MAC binding 1 In the IP MAC Bindings table click the Edit table button to the right of the IP MAC binding that you want to edit The Edit IP MAC Binding screen displays 2 Modify the settings that you wish to change see the previous table 3 Click Apply to save your changes The modified IP MAC binding is displayed in the IP MAC Bindings table gt To remove one or more IP MAC bindings from the table 1 Select the check box to the left of the IP MAC binding that you want to delete or click the Select All table button to select all bindings 2 Click the Delete table button Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using the port triggering feature requires that you know the port numbers used by the application Once configured port triggering operates as follows 1 A PC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table 2 The VPN firewall records this connection opens the additional incoming port or ports that are associated with the rule in the port triggering table and associates t
412. sabled depending on the DHCP configuration that you have specified on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 Port Membership The ports that you have associated with the VLAN on the Add VLAN Profile screen see Configure a VLAN Profile on page 59 View and Disconnect Active Users The Active Users screen displays a list of administrators IPSec VPN and SSL VPN users that are currently logged in to the VPN firewall gt To display the list of active VPN users Select Monitoring gt Active Users The Active Users screen displays Monitoring System Access and Performance 281 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring Router Status Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs Active Users Help Username Group IP Address Login Time Action admin geardomain 1921B1 44 28 Sun Mar 7 11 47 06 2010 F Disconnect Figure 169 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user logged in To disconnect an active user click the Disconnect table button to the right of the user s table entry View the VPN Tunnel Connection Status To view the status of current IPSec VPN tunnels Select VPN gt Connection Status The VPN Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view The following figure shows an IPSec SA
413. se default Users are authenticated locally on the VPN firewall This is the default setting You do not need to complete any other fields on this screen e Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields e Radius CHAP RADIUS Challenge Handshake Authentication Protocol CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAP RADIUS Microsoft CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAPv2 RADIUS Microsoft CHAP version 2 Complete the Authentication Server and Authentication Secret fields e WIKID PAP WiKID Systems PAP Complete the Authentication Server and Authentication Secret fields WIKID CHAP WiKID Systems CHAP Complete the Authentication Server and Authentication Secret fields MIAS PAP Microsoft Internet Authentication Service MIAS PAP Complete the Authentication Server and Authentication Secret fields MIAS CHAP Microsoft Internet Authentication Service MIAS CHAP Complete the Authentication Server and Authentication Secret fields NT Domain Microsoft Windows NT Domain Complete the Authentication Server and Workgroup fields Active Directory Microsoft Active Directory Complete the Authentication Server and Active Directory Domain fields LDAP Lightweight Directory Access Protocol LDAP Complete the Authentication Server and LDAP Base
414. se 2 negotiation failed due to time up waiting for phase 1 ESP 20 0 0 1 gt 20 0 0 2 _ 2000 Jan 1 04 53 05 SRX5308 IKE Using IPSec SA configuration 192 168 11 0 24 lt gt 192 168 10 0 24 __ 2000 Jan 1 04 53 05 SRX5308 IKE Configuration found for 20 0 0 1 _ 2000 Jan 1 04 53 05 SRX5308 IKE Initiating new phase 1 negotiation 20 0 0 2 500 lt gt 20 0 0 1 500 _ 2000 Jan 1 04 53 05 SRX5308 IKE Beginning Identity Protection mode _ 2000 Jan 1 04 53 05 SRX5308 IKE Setting DPD Vendor ID_ 2000 Jan 1 04 53 36 SRX5308 IKE Phase 2 negotiation failed due to time up waiting for phase 1 ESP 20 0 0 1 gt 20 0 0 2 _ Explanation Phase 1 and phase 2 negotiations failed because of a mismatch of the WAN IP address in the IPSec VPN policy and the WAN IP address of the remote host attempting to establish the IPSec VPN tunnel Recommended Action None Table 100 System logs IPSec VPN tunnel Dead Peer Detection and keep alive default 30 sec Messages 1 through 4 2000 Jan 1 04 13 39 SRX5308 IKE Received request for new phase 1 negotiation 20 0 0 2 500 lt gt 20 0 0 1 500 _ 2000 Jan 1 04 13 39 SRX5308 IKE Beginning Identity Protection mode _ 2000 Jan 1 04 13 39 SRX5308 IKE Received Vendor ID RFC XXXX_ 2000 Jan 1 04 13 39 SRX5308 IKE Received Vendor ID DPD_ Message 5 2000 Jan 1 04 13 39 SRX5308 IKE DPD is Enabled_ Message 6 2000 Jan 1 04 13 39 SRX5308 IKE For 20 0 0 1 500
415. ser s PC to the port forwarding connection rather than opening up a full tunnel to the corporate network Port forwarding offers more fine grained management than an SSL VPN tunnel You define individual applications and resources that are available to remote users The SSL VPN portal can present the remote user with one or both of these SSL service levels depending on how you set up the configuration Overview of the SSL Configuration Process gt To configure and activate SSL connections perform the following six basic steps in the order that they are presented 1 Edit the existing SSL portal or create a new one see Create the Portal Layout on page 198 When remote users log in to the VPN firewall they see a portal page that you can customize to present the resources and functions that you choose to make available Create authentication domains user groups and user accounts see Configure Domains Groups and Users on page 202 a Create one or more authentication domains for authentication of SSL VPN users When remote users log in to the VPN firewall they need to specify a domain to which their login account belongs The domain determines the authentication method that is used and the portal layout that is presented which in turn determines the network resources to which the users are granted access Because you need to assign a portal layout when creating a domain the domain is created after you have created the
416. sers Client Browsers Oo Netscape Navigator Select All Delete Add Defined Browser Client Browser Internet Explorer Figure 144 In the Defined Browsers Status section of the screen select one of the following radio buttons e Deny Login from Defined Browsers Deny logging in from the browsers in the Defined Browsers table Allow Login only from Defined Browsers Allow logging in from the browsers in the Defined Browsers table Click Apply to save your settings In the Add Defined Browser section of the screen add a browser to the Defined Browsers table by selecting one of the following browsers from the drop down list e Internet Explorer Opera e Netscape Navigator e Firefox Mozilla Firefox e Mozilla Other Mozilla browsers Click the Add table button The browser is added to the Defined Browsers table Repeat step 6 and step 7 for any other browsers that you want to add to the Defined Browsers table To delete one or more browsers 1 2 In the Defined Browsers table select the check box to the left of the browser that you want to delete or click the Select All table button to select all browsers Click the Delete table button Managing Users Authentication and Certificates 232 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Change Passwords and Other User Settings For any user you can change the password user type and idle time out settings Only
417. service that allows devices with varying public IP addresses to be located using Internet domain names To use DDNS you need to set up an account with a DDNS provider such as DynDNS org TZO com Oray net or 3322 org Links to DynDNS TZO Oray and 3322 are provided for your convenience as option arrows on the DDNS configuration screens The VPN firewall firmware includes software that notifies DDNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet Connecting the VPN Firewall to the Internet 42 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently hence the need for a commercial DDNS service which allows you to register an extension to its domain and restores DNS requests for the resulting FQDN to your frequently changing IP address After you have configured your account information on the VPN firewall when your ISP assigned IP address changes your VPN firewall automatically contacts your DDNS service provider logs in to your account and registers your new IP address Consider the following e For auto rollover mode y
418. significant volume of messages LAN to WAN Logs Table 108 Routing Logs LAN to WAN Message Nov 29 09 19 43 SRX5308 kernel LAN2WAN ACCEPT IN LAN OUT WAN SRC 192 168 10 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from LAN to WAN has been allowed by the firewall e For other settings see Table 87 on page 322 Recommended Action None System Logs and Error Messages 336 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN to DMZ Logs Table 109 Routing Logs LAN to DMZ Message Nov 29 09 44 06 SRX5308 kernel LAN2DMZ ACCEPT IN LAN OUT DMZ SRC 192 168 10 10 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from LAN to DMZ has been allowed by the firewall e For other settings see Table 81 on page 322 Recommended Action None DMZ to WAN Logs Table 110 Routing Logs DMZ to WAN Message Nov 29 09 19 43 SRX5308 kernel DMZ2WAN DROP IN DMZ OUT WAN SRC 192 168 20 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from DMZ to WAN has been dropped by the firewall e For other settings see Table 81 on page 322 Recommended Action None WAN to LAN Logs Table 111 Routing Logs WAN to LAN Message Nov 29 10 05 15 SRX5308 kernel WAN2LAN ACCEPT IN WAN OUT LAN SRC 192 168 1 214 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from LAN to WAN has be
419. splayed e Check box Allows you to select the PC or device in the table e Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device was assigned an IP address by the DHCP server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the VPN firewall this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed MAC Address The MAC address of the PC or device s network interface e Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group drop down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen e Profile Name The VLAN to which the PC or device is assigned e Action The Edit table button that provides access to the Edit Groups and Hosts screen Add PCs or Devices to the Network Database gt To add PCs or devices manually to the network database 1 In the Add Known PCs and Devices section of the LAN Groups screen see Figure 34 on page 68 enter the settings as explained in the following table Table 13 Known PCs and devices settings Se
420. ss reliable than DPD does not require any support from the peer device Virtual Private Networking Using IPSec Connections 191 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Keep alives The keep alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies To configure the keep alive feature ona configured VPN policy 1 Select VPN gt IPSec VPN gt VPN Policies The VPN Policies screen displays see Figure 106 on page 166 2 In the List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays The following figure shows only the top part of the screen with the General section Edit PN Policy Operation succeeded Policy Name Policy Type Select Local Gateway Remote Endpoint IP Address fio iaa f2s 226 Foon i044 261226 _ Enable NetBIOS Enable RollOver Enable Keepalive Yes No Ping IP Address Bo aaa fzs 2z6 Detection Period Seconds Reconnect after failure count Figure 121 3 Enter the settings as explained in the following table Table 48 Keep alive settings Setting Description General Enable Keepalive Select a radio button to specify if keep alive is enabled e Yes This feature is enabled Periodically the VPN firewall sends keep alive requests ping packets to the remote
421. ss to which the notifications are sent Typically this Address is the email address of an administrator Select one of the following radio buttons to specify SMTP server authentication No Authentication The SMTP server does not require authentication e Login Plain The SMTP server requires authentication with regular login Specify the user name and password to be used for authentication CRAM MD5 The SMTP server requires authentication with CRAM MD5 login Specify the user name and password to be used for authentication SMTP Server User name The user name for SMTP server authentication Password The password for SMTP server authentication Respond to Select the Respond to Identd from SMTP Server check box to Identd from respond to Ident protocol messages The Ident protocol is a weak scheme to verify the sender of an email A common daemon program for providing the Ident service is Identd Send e mail logs by Schedule Unit following Enter a schedule for sending the logs From the Unit drop down list select one of the Never No logs are sent Hourly The logs are sent every hour Daily The logs are sent daily Specify the time e Weekly The logs are sent weekly Specify the day and time Day From the Day drop down list select the day on which the logs are sent Time From the Time drop down list select the hour on which the logs are sent and then select either
422. st time by re setting system time Message 4 Display date and time before synchronization that is when resynchronization started Message 5 Display the new updated date and time Message 6 Next synchronization will be after the specified time Example In these logs the next synchronization will be after 2 hours The synchronization time interval is configurable via the CLI Recommended Action None System Logs and Error Messages 323 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Login Logout This section describes logs generated by the administrative interfaces of the device Table 83 System logs login logout Message Nov 28 14 45 42 SRX5308 login Login succeeded user admin from 192 168 10 10 Explanation Login of user admin from host with IP address 192 168 10 10 Recommended Action None Message Nov 28 14 55 09 SRX5308 seclogin Logout succeeded for user admin Nov 28 14 55 13 SRX5308 seclogin Login succeeded user admin from 192 168 1 214 Explanation Secure login logout of user admin from host with IP address 192 168 1 214 Recommended Action None System Startup This section describes log messages generated during system startup Table 84 System logs system startup Message Jan 1 15 22 28 SRX5308 ledTog SYSTEM START UP System Started Explanation Log generated when the system is started Recommended Action
423. stics screen information Item Description System up Time the period since the last time that the VPN firewall was started up Router Statistics For each of the four WAN interfaces and for all LAN interfaces combined the following statistics are displayed Tx Pkts The number of transmitted packets on the port in bytes Rx Pxts The number of received packets on the port in bytes Collisions The number of signal collisions that have occurred on the port A collision occurs when the port attempts to send data at the same time as a port on the other router or computer that is connected to this port Tx B s The number of transmitted bytes per second on the port Rx B s The number of received bytes per second on the port Up Time The period that the port has been active since it was restarted To change the poll interval period enter a new value in the Poll Interval field and then click Set interval To stop polling click Stop View the VLAN Status The VLAN Status screen displays information about the VLANs both enabled and disabled that are configured on the VPN firewall For information about configuring VLAN profiles see Configure a VLAN Profile on page 59 For information about enabling and disabling VLAN profiles see Assign and Manage VLAN Profiles on page 57 Monitoring System Access and Performance 280 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To view the V
424. t names of Johnson you would enter cn Johnson dc Netgear dc net Port The port number for the LDAP server The default setting is 0 zero DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the VPN firewall to provide a LAN IP address for DNS address name resolution This setting is disabled by default Note When you deselect the Enable DNS Proxy radio button the VPN firewall still services DNS requests that are sent to its LAN IP address Inter VLAN Routing Enable Inter VLAN This is optional Select the Enable Inter VLAN Routing radio button to ensure that Routing traffic is routed only to VLANs for which inter VLAN routing is enabled This setting is disabled by default When the Enable Inter VLAN Routing radio button is not selected traffic from this VLAN is not routed to other VLANs and traffic from other VLANs is not routed to this VLAN 4 Click Apply to save your settings Note For information about how to manage VLANs see Assign and Manage VLAN Profiles on page 57 LAN Configuration 63 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note Once you have completed the LAN setup all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side For information about how to change these default traffic rules see Chapter 4 Firewall Protection Note For information about the DHC
425. t Gateway Tunnel P2 gt deleted 2011 06 24 15 43 59 Defaut SA Gateway P1 SEND Informational HASH DELETE 2011 06 24 15 43 59 Defaut lt Gateway Pl gt deleted 2011 06 24 15 44 08 Defauk SA Gateway P1 SEND phase 1 Aggressive Mode SA KEY_EXCH NONCE ID VID VID VID ID v10 2011 06 24 15 44 08 Default 5A Gateway P1 RECY phase 1 Aggressive Mode HASH 5A KEY _EXCH NONCE ID NAT_D NAT_D VID ID I0 15 44 08 Defauk SA Gateway P1 SEND phase 1 Aggressive Mode HASH NAT_D NAT_D 15 44 08 Defaut phase 1 done initiator id remote com responder id local com 15 44 08 Defauk SA Gateway Tunnel P2 SEND phase 2 Quick Mode HASH SA KEY_EXCH NONCE ID ID 15 44 08 Defauk SA Gateway P1 RECY Informational HASH NOTIFY 15 44 09 Defauk SA Gateway Tunnel P2 RECV phase 2 Quick Mode HASH SA KEY_EXCH NONCE ID 10 15 44 09 Default SA Gateway Tunnel P2 SEND phase 2 Quick Mode HASH 15 44 38 Defauk SA Gateway P1 SEND Informational HASH NOTIFY type DPD_R_U_THERE 15 44 38 Defaut SA Gateway P1 RECY Informational HASH NOTIFY type DPD_R_U_THERE_ACK 15 45 08 Default SA Gateway P1 SEND Informational HASH NOTIFY type DPD_R_U_THERE 15 45 08 Default SA Gateway P1 RECY Informational HASH NOTIFY type DPD_R_U_THERE_ACK 2011 06 24 15 45 38 Default 5A Gateway P1 SEND Informational HASH NOTIFY type DPD_R_U_THERE v Current line 43 Max lines 10000 Figure 101 View the VPN F
426. t IP addresses e Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this schedule You specify the days of the week and time of day for each schedule For more information see Set a Schedule to Block or Allow Specific Traffic on page 121 e QoS profile You can define QoS profiles and then apply them to outbound rules to regulate the priority of traffic For information about how to define QoS profiles see Create Quality of Service QoS Profiles on page 116 e Bandwidth profile You can define bandwidth profiles and then apply them to outbound rules to limit traffic For information about how to define bandwidth profiles see Create Bandwidth Profiles on page 118 Content Filtering If you want to reduce traffic by preventing access to certain sites on the Internet you can use the VPN firewall s content filtering feature By default this feature is disabled all requested traffic from any website is allowed e Web object blocking You can block the following web component types embedded objects ActiveX Java Flash proxies and cookies e Keyword and file extension blocking You can specify words that should they appear in the website name URL file extension or newsgroup name cause that site file or newsgroup to be blocked by the VPN firewall e URL blocking You can specify URLs that are blocked by the VPN firewall For
427. t Network Configuration gt Routing The Routing screen display Network Configuration WAN Settings Protocol Binding Dynamic DNS LAN Settings DMZ Setup Qos Routing Orie Configuration hHelp Destination Gateway Interface Metric Active Private Action ge Select All Delete Add Figure 38 For information about the fields of the Static Routes table see the following table 2 Click the Add table button under the Static Routes table The Add Static Route screen displays Network Configuration i i l l l i I WAN Settings Protocol Binding Dynamic DNS LAN Settings DMZ Setup Qos Add Static Route Static Route Operation succeeded Help Route Name Active Private O Destination 1P Address _ _ __ Subnet Mask _ Jf J JL Interface Gateway IP Address _ Jf J __ Metric o Figure 39 LAN Configuration 76 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3 Enter the settings as explained in the following table Table 15 Add Static Route screen settings Setting Description Route Name The route name for the static route for purposes of identification and management Active To make the static route effective select the Active check box Note A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry an inactive route is not advertised if RIP is enable
428. t Number L LAN Users End Click the Add table button under the Inbound Services table The Add LAN WAN Inbound Operation succeeded HTT ALLOW always Schedule 1 Single Address 4168 192 168 50 10 WAN1 End None Never NONE Firewall Protection 103 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4 From the Service drop down list select HTTP for a web server 5 From the Action drop down list select ALLOW Always 6 In the Send to LAN Server field enter the local IP address of your web server PC 192 168 1 2 in this example 7 From the WAN Destination IP Address drop down list select the web server In this example the secondary 192 168 55 10 WAN1 address is shown You first need to define this address on the WAN1 Secondary Addresses screen see Configure Secondary WAN Addresses on page 41 before you can select it from the WAN Destination IP Address drop down list 8 Click Apply to save your settings The rule is now added to the Inbound Services table of the LAN WAN Rules screen To test the connection from a PC on the Internet type http lt P_address gt in which lt IP_addresss gt is the public IP address that you have mapped to your web server You should see the home page of your web server LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the I
429. t blocked by rules you create is allowed by the default rule Note ALLOW rules are useful only if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule e This drop down list is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Set a Schedule to Block or Allow Specific Traffic on page 121 Firewall Protection 84 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18 Outbound rules overview continued Setting Description LAN Users The settings that determine which computers on your network are affected by this rule The options are e Any All PCs and devices on your LAN e Single address Enter the required address to apply the rule to a single device on your LAN e Address range Enter the required addresses in the Start and End fields to apply the rule to a range of devices e Groups Select the group to which the rule applies Use the LAN Groups screen to assign PCs to groups See Manage Groups and Hosts LAN Groups on page 67 e IP Group Select the IP group to which the rule applies Use the IP Groups screen to assign IP addresses to groups See Create IP Groups on
430. t rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule can block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created in the Schedule screen You can also tailor these rules to your specific needs see Administrator Tips on page 82 Note This feature is for advanced administrators only Incorrect configuration might cause serious problems gt To create a new outbound LAN WAN service rule 1 In the LAN WAN Rules screen click the Add table button under the Outbound Services table The Add LAN WAN Outbound Service screen displays The following figure shows an example Add LAN WAN Outbound Service Figure 43 Operation succeeded Service Action Select Schedule LAN Users Start End WAN Users STRMWORKS v ALLOW always Schedule 1 mopsie T Fj n Start End QoS Profile Log Bandwidth Profile NAT IP Maximize_Through Never NONE WANI 2 Enter the settings as explained in Table 18 on page 84 3 Click Apply to save your changes The new rule is now added to the Outbound Services table Firewall Protection 93 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you hav
431. t should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port then configures itself correctly This feature eliminates the need for you to think about crossover cables as Auto Uplink accommodates either type of cable to make the right connection Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP For further information about TCP IP see nternet Configuration Requirements on page 308 The VPN firewall provides the following protocol support e IP address sharing by NAT The VPN firewall allows many networked PCs to share an Internet account using only a single IP address which might be statically or dynamically assigned by your Internet Service Provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account e Automatic configuration of attached PCs by DHCP The VPN firewall dynamically assigns network configuration information including IP gateway and Domain Name Server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network Introduction 12 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DNS proxy When DHCP is enabled and no DNS addresses are specified the VPN firewall provides its own address as a DNS server to the attac
432. t type Enter the network IP address for the locations that are permitted to use this resource Mask Length Applicable only when you select IP Network as the object type As an option enter the network mask 0 31 for the locations that are permitted to use this resource Port Range Port Number A port or a range of ports 0O 65535 to apply the policy to the policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic 4 Click Apply to save your settings The new configuration is added to the Defined Resource Addresses table To delete a configuration from the Defined Resource Addresses table click the Delete table button to the right of the configuration that you want to delete Configure User Group and Global Policies You can define and apply user group and global policies to predefined network resource objects IP addresses address ranges or all IP addresses and to different SSL VPN services A specific hierarchy is invoked over which policies take precedence The VPN firewall policy hierarchy is defined as follows 1 User policies take precedence over all group policies 2 Group policies take precedence over all global policies 3 If two or more user group or global policies are configured the most specific policy takes precedence For example a policy that is configured for a single IP address takes precedence over
433. tbound firewall rules the source IP address is the LAN side IP address for inbound firewall rules the source IP address is the WAN side IP address The class is deleted when all the connections that are using the class expire After you have created a bandwidth profile you can assign the bandwidth profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen see Figure 43 on page 93 e Add LAN WAN Inbound Services screen see Figure 44 on page 94 gt To add and enable a bandwidth profile 1 Select Security gt Bandwidth Profile The Bandwidth Profiles screen displays See the following figure which shows one profile in the List of Bandwidth Profiles table as an example Security Services Schedule Firewall Address Filter Port Triggering Content Filtering Bandwidth Profiles Operation succeeded Enable Bandwidth Profiles O Yes No dHelp Name Bandwidth Range kbps Direction Action PriorityLevel 750 100000 Group Inbound Traffic Edit Packets Dropped due to Bandwidth Limit 0 7 Select All Delete Figure 65 The screen displays the List of Bandwidth Profiles table with the user defined profiles 2 Under the List of Bandwidth Profiles table click the Add table button The Add Bandwidth Profile screen displays Firewall Protection 119 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Bandwidth Profile Bandwidth Profile Operation succeeded
434. teway firewall between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel VPN Road Warrior Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the active WAN port is not Known in advance The selected gateway WAN port needs to act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports Load Balancing Client B WAN1 IP Gateway A Berouteri dind 2 zrouter1 dyndns org WAN IP LAN P Ca 10 5 6 1 0 ee eel 0 0 0 0 VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 193 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you need to use an FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an VPN firewall to establish a VPN tunnel with another gateway VPN firewall Single gateway WAN ports e Redundant dual gateway WAN ports for increased reliabili
435. the connection You need to specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field e No This feature is disabled This is the default setting Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPSec traffic is idle The default setting is 10 seconds In this example we are using 30 seconds The maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer The default is 3 failures Reconnect after failure count Virtual Private Networking Using IPSec Connections 182 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44 Add IKE Policy screen settings for a Mode Config configuration continued Settings Description Extended Authentication XAUTH Configuration Note For more information about XAUTH and its authentication modes see Configure XAUTH for VPN Clients on page 173 Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information e None XAUTH is disabled This the default setting Edge Device The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate The
436. the DHCP server option is disabled by default For most applications the default DHCP server and TCP IP settings of the VPN firewall are satisfactory The VPN firewall delivers the following settings to any LAN device that requests DHCP An IP address from the range that you have defined e Subnet mask e Gateway IP address the VPN firewalls LAN IP address e Primary DNS server the VPN firewalls LAN IP address e WINS server if you entered a WINS server address in the DHCP Setup screen e Lease time the date obtained and the duration of the lease DHCP Relay DHCP relay options allow you to make the VPN firewall a DHCP relay agent for a VLAN The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages The DHCP relay agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet If you do not configure a DHCP relay agent for a VLAN its clients can obtain IP addresses only from a DHCP server that is on the same subnet To enable clients to obtain IP addresses from a DHCP server on a remote subnet you need to configure the DHCP relay agent on the subnet that contains the remote clients so that the DHCP relay agent can relay DHCP broadcast messages to your DHCP server LAN Configuration 58 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DNS Proxy When the DNS Proxy op
437. the QoS profile that you want to delete or click the Select All table button to select all profiles 2 Click the Delete table button Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link For outbound traffic you can apply bandwidth profiles on the available WAN interfaces in both the single WAN port mode and auto rollover mode and in load balancing mode on the interface that you specify For inbound traffic you can apply bandwidth profiles to a LAN interface for all WAN modes Bandwidth profiles do not apply to the DMZ interface Firewall Protection 118 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For example when a new connection is established by a device the device locates the firewall rule corresponding to the connection e If the rule has a bandwidth profile specification the device creates a bandwidth class in the kernel e f multiple connections correspond to the same firewall rule the connections all share the same bandwidth class An exception occurs for an individual bandwidth profile if the classes are per source IP address classes The source IP address is the IP address of the first packet that is transmitted for the connection So for ou
438. the check box to the left of the rule that you want to delete or disable or click the Select All table button to select all rules 2 Click one of the following table buttons e Disable Disables the rule or rules The status icon changes from a green circle to a gray circle indicating that the selected rule or rules are disabled By default when a rule is added to the table it is automatically enabled Delete Deletes the selected rule or rules LAN DMZ Outbound Services Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule can block or allow traffic between the DMZ and any internal LAN IP address according to the schedule created in the Schedule screen gt To create a new outbound LAN DMZ service rule 1 In the LAN DMZ Rules screen click the Add table button under the Outbound Services table The Add LAN DMZ Outbound Service screen displays Add LAN DMZ Outbound Service Operation succeeded Service Select Schedule Schedule 1 LAN Users ee SO ent C CC DMZ Users see IOI CO H H Figure 49 2 Enter the settings as explained in Table 18 on page 84 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enable
439. the directory that is the directory tree from which the LDAP search begins Configure a VLAN Profile For each VLAN on the VPN firewall you can configure its profile port membership LAN TCP IP settings DHCP options DNS server and inter VLAN routing gt To add or edit a VLAN profile 1 Select Network Configuration gt LAN Settings The LAN submenu tabs display with the LAN Setup screen in view The following figure shows the default VLAN profile and another VLAN profile as examples Network Configuration WAN Settings Protocol Binding Dynamic DNS DMZ Setup Routing QoS Eis LAN Groups LAN Multi homing advanced poxce Log Help Profile Name VLAN ID Subnet IP DHCP Status Action defaultVlan 1 192 168 1 1 DHCP Enabled Edit 192 174 60 22 DHCP Disabled edit Sales VLAN 2 SelectAll Delete Enable O Disable Add uelp Porti Port2 Port3 Port4 DMZ defaultVlan defaultVlan defaultVlan defaultVlan Figure 30 LAN Configuration 59 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 Either select an entry from the VLAN Profiles table and click the corresponding Edit table button or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table The Edit VLAN Profile screen displays Network Configuration Edit LAN Profile Operation succeeded i VLAN Profile Profile Name defaultVlan VLAN ID fi 3 Port Membership E
440. the right of the IKE policy for which you want to enable and configure XAUTH The Edit IKE Policy screen displays This screen shows the same fields as the Add IKE Policy screen see Figure 105 on page 161 3 Inthe Extended Authentication section of the screen complete the settings as explained the following table Table 41 Extended authentication settings Setting Description Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information e None XAUTH is disabled This the default setting Edge Device The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication modes that are available for this configuration are User Database RADIUS PAP or RADIUS CHAP e IPSec Host The VPN firewall functions as a VPN client of the remote gateway In this configuration the VPN firewall is authenticated by a remote gateway with a user name and password combination Virtual Private Networking Using IPSec Connections 173 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 41 Extended authentication settings continued Setting Description Authentication For an Edge Device configuration from the drop down list select one of the Type following authentication types User Database XAUTH occurs through the VPN firewalls user
441. ther precisely which can be a daunting task The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up The VPN Wizard also configures the settings for the network connection security association SA traffic selectors authentication algorithm and encryption The settings that are used by the VPN Wizard are based on the recommendations of the VPN Consortium VPNC an organization that promotes multivendor VPN interoperability Create Gateway to Gateway VPN Tunnels with the Wizard Gateway to Gateway Example Single WAN Ports Gateway A Gateway B LAN IP gt rd Ll FQDN x VPN Router VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure 76 gt To set up a gateway to gateway VPN tunnel using the VPN Wizard 1 Select VPN gt IPSec VPN gt VPN Wizard The VPN Wizard screen displays The following figure contains some entries as an example Virtual Private Networking Using IPSec Connections 136 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This VPN tunnel wi
442. tiated Services Code Point DSCP 46 117 Diffie Hellman DH group 164 172 179 DiffServ Differentiated Services LAN QoS 117 WAN QoS 46 digital certificates See certificates disabling ping replies 108 DMZ demilitarized zone configuring 72 75 inbound rules DMZ WAN 97 LAN DMZ 100 increasing traffic 247 outbound rules DMZ WAN 96 LAN DMZ 99 port 12 72 DNS domain name server automatic configuration of PCs 12 dynamic configuring 42 45 looking up an address 290 ModeConfig operation 179 proxy 13 59 63 75 queries auto rollover 34 server IP addresses 62 DMZ demilitarized zone 74 Internet connection 31 SSL VPN client 206 documentation online 301 domain name server See DNS domain name PPTP and PPPoE 29 30 domains blocking 123 configuring 219 223 trusted 126 user authentication 227 DoS denial of service attacks 11 87 107 108 downloading firmware 259 SSL certificate 21 DPD Dead Peer Detection 164 193 DSCP Differentiated Services Code Point 46 117 duplex half and full 53 dynamic DNS DDNS configuring 42 45 Dynamic Host Configuration Protocol See DHCP 12 dynamically assigned IP addresses 31 DynDNS org 42 45 E e commerce using SSL connections 196 edge device 172 173 emails sending logs 272 emergency messages syslog 273 environmental specifications 304 error messages syslog 273 error messages understanding 322 Ethernet ports 14 exchange mode IKE policies 160 162 expos
443. times in seconds Authentication IKE Default The default lifetime value is 3600 seconds Change this setting to 28800 seconds to match the configuration of the VPN firewall Encryption IPSec Default The default lifetime value is 1200 seconds Change this setting to 3600 seconds to match the configuration of the VPN firewall 3 Click Apply to use the new settings immediately and click Save to keep the settings for future use The VPN firewall configuration is now complete Virtual Private Networking Using IPSec Connections 154 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information This information is useful for verifying the status of a connection and troubleshooting problems with a connection Test the NETGEAR VPN Client Connection There are many ways to establish a connection The following procedures assume that you use the default authentication phase name Gateway and the default IPSec configuration name Tunnel lf you manually set up the connection and changed the names use vpn_client or any other name that you have configured as the authentication phase name and netgear_platform or any other name that you have configured as the IPSec configuration name gt To establish a connection use one of the following three methods Use the Configuratio
444. tion WAN1 Dynamic DNS Status Change DNS to Select the Yes radio button to enable the DDNS service The fields that display on the DynDNS TZO screen depend on the DDNS service provider that you have selected Enter the following Oray or 3322 settings Host and Domain Name The host and domain name for the DDNS service Username or The user name or email address for DDNS server User Email Address authentication Password or User Key The password that is used for DDNS server authentication Use wildcards If your DDNS provider allows the use of wildcards in resolving your URL you can select the Use wildcards check box to activate this feature For example the wildcard feature causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org Update every 30 days If your WAN IP address does not change often you might need to force a periodic update to the DDNS service to prevent your account from expiring If it appears you can select the Update every 30 days check box to enable a periodic update WAN2 Dynamic DNS Status WANS Dynamic DNS Status WAN4 Dynamic DNS Status See the information for WAN1 above about how to enter the settings You can select different DDNS services for different WAN interfaces 6 Click Apply to save your configuration Connecting the VPN Firewall to the Internet 45 ProSafe Gigabit Quad WAN SS
445. tion and management purposes e Service From the Service drop down list select the type of service to which the resource applies VPN Tunnel The resource applies only to a VPN tunnel Virtual Private Networking Using SSL Connections 208 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Port Forwarding The resource applies only to a port forwarding All The resource applies both to a VPN tunnel and to port forwarding 3 Click the Add table button The new resource is added to the List of Resources table gt To delete one or more network resources 1 Select the check box to the left of the network resource that you want to delete or click the Select All table button to select all VPN policies 2 Click the Delete table button Edit Network Resources to Specify Addresses After you have defined a resource on the Resources screen you can assign an IP or network address and a port or port range to the resource gt To edit a resource 1 Select VPN gt SSL VPN gt Resources The Resources screen displays see the previous figure which shows some examples 2 Inthe List of Resources table to the right of the new resource in the Action column click the Edit table button A new screen displays The following figure shows an example Resource Name TestResource Service VPN Tunnel Object Type IP Address IP Address Name Network Address Mask Length 0 31 Begin End Port Rang
446. tion is enabled for a VLAN the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP s DNS servers as configured on the WAN ISP Settings screens All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located that is the VPN firewall s LAN IP address When the DNS Proxy option is disabled for a VLAN all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address A DNS proxy is particularly useful in auto rollover mode For example if the DNS servers for each WAN connection are different servers then a link failure might render the DNS servers inaccessible However when the DNS Proxy option is enabled the DHCP clients can make requests to the VPN firewall which in turn can send those requests to the DNS servers of the active WAN connection However disable the DNS proxy if you are using a dual WAN configuration in auto rollover mode with route diversity that is with two different ISPs and you cannot ensure that the DNS server is available after a rollover has occurred LDAP Server A Lightweight Directory Access Protocol LDAP server allows a user to query and modify directory services that run over TCP IP For example clients can query email addresses contact information and other service information using an LDAP server For each VLAN you can specify an LDAP server and a search base that defines the location in
447. tiveX enabled If you are using Internet Explorer click Refresh to be sure that the Java applet is loaded Try quitting the browser and launching it again Make sure that you are using the correct login information The factory default login name is admin and the password is password Make sure that Caps Lock is off when entering this information If the VPN firewall does not save changes you have made in the web management interface check the following When entering configuration settings be sure to click the Apply button before moving to another menu or tab or your changes are lost Click the Refresh or Reload button in the web browser The changes might have occurred but the web browser might be caching the old configuration When You Enter a URL or IP Address a Time Out Error Occurs A number of things could be causing this situation Try the following troubleshooting steps Check whether other computers on the LAN work correctly If they do ensure that your computer s TCP IP settings are correct If you use a fixed static IP address check the subnet mask default gateway DNS and IP addresses on the WAN ISP Settings screens see Manually Configure the Internet Connection on page 28 If the computer is configured correctly but still not working ensure that the VPN firewall is connected and turned on Connect to the web management interface and check the VPN firewall s settings If you cannot connect to the VPN firewall
448. to start the software upgrade to your VPN firewall The upgrade process might take some time at the conclusion of which the VPN firewall reboots automatically The reboot process is complete after several minutes when the Test LED on the front panel goes off Network and System Management 259 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 A WARNING Do not try to go online turn off the VPN firewall shut down the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade When the Test light turns off wait a few more seconds before doing anything 7 After the VPN firewall has completed its reboot process log in to the web management interface click Monitoring to display the Router Status screen and then verify that the VPN firewall has the new software installed Note In some cases such as a major upgrade it might be necessary to erase the configuration and manually reconfigure your VPN firewall after upgrading it Refer to the release notes included with the software to find out if this is required Configure Date and Time Service Configure date time and NTP server designations on the Time Zone screen Network Time Protocol NTP is a protocol that is used to synchronize computer clock times in a network of computers Setting the correct system time and time zone ensures that the date and time recorded in the VPN firewall logs and reports are accurate gt To set time date and NT
449. to the original factory default settings you can use one of the following two methods e Using a sharp object press and hold the reset button on the rear panel of the VPN firewall see Rear Panel on page 16 for about eight seconds until the Test LED turns on The Test LED remains on for about 2 minutes To restore the factory default configuration settings when you do not know the administration password or IP address you need to use the reset button method e Onthe Settings Backup and Firmware Upgrade screen see the previous screen next to Revert to factory default settings click the Default button The VPN firewall reboots The reboot process is complete after several minutes when the Test LED on the front panel goes off Network and System Management 258 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 A WARNING When you push the hardware reset button or click the software Default button the VPN firewall settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them Note After rebooting with factory default settings the VPN firewall s password is password and the LAN IP address is 192 168 1 1 Upgrade the Firmware and Reboot the VPN Firewall You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen see the previous screen To view the current version of the firmw
450. tting Description Advanced features Mode Config Select this check box to enable Mode Config Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall NAT T Select Automatic from the drop down list to enable the VPN client and VPN firewall to negotiate NAT T Local and Remote ID Local ID As the type of ID select DNS from the Local ID drop down list because you specified FQDN in the VPN firewall configuration As the value of the ID enter client com as the local ID for the VPN client Note The remote ID on the VPN firewall is the local ID on the VPN client Remote ID As the type of ID select DNS from the Remote ID drop down list because you specified an FQDN in the VPN firewall configuration As the value of the ID enter router com as the remote ID for the VPN firewall Note The local ID on the VPN firewall is the remote ID on the VPN client Click Apply to use the new settings immediately and click Save to keep the settings for future use Create the Mode Config IPSec Configuration Phase 2 Settings Note On the VPN firewall the IPSec configuration phase 2 settings is referred to as the IKE settings gt To create an IPSec configuration 1 2 In the tree list pane of the Configuration Panel screen right click the GW_ModeConfig authentication phase name and then select New Phase 2 Change the name of the IPSec
451. tting Description Name Enter the name of the PC or device IP Address Type From the drop down list select how the PC or device receives it IP address e Fixed set on PC The IP address is statically assigned on the PC or device e Reserved DHCP Client Directs the VPN firewall s DHCP server to always assign the specified IP address to this client during the DHCP negotiation see Set Up Address Reservation on page 72 Note When assigning a reserved IP address to a client the IP address selected needs to be outside the range of addresses allocated to the DHCP server pool IP Address Enter the IP address that this PC or device is assigned in the IP Address field If the IP address type is Reserved DHCP Client the VPN firewall reserves the IP address for the associated MAC address LAN Configuration 69 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13 Known PCs and devices settings continued Setting Description MAC Address Enter the MAC address of the PC or device s network interface The MAC address format is six colon separated pairs of hexadecimal characters 0 9 and A F such as 01 23 45 67 89 AB Group From the drop down list select the group to which the PC or device is assigned Group 1 is the default group Profile Name From the drop down list select the VLAN profile to which the PC or device is assigned defaultVlan is the default VLAN group Cl
452. tus hHelp Enable Protocol Outgoing Trigger Port Range Incoming Response Port Range Action Start Port End Port Start Port End Port go 1 PT_rule_example No cP 12350 12360 17840 17850 edit select all Delete Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Incoming Response Port Range Start Port End Port Start Port End Port 1 65534 1 65534 165534 165534 C Im Sce C__J CJ C_ C Om Figure 71 2 Below Add Port Triggering Rule enter the settings as explained in the following table Table 27 Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes Enable From the drop down list select Yes to enable the rule You can define a rule but not enable it The default setting is No Protocol From the drop down list select the protocol to which the rule applies TCP The rule applies to an application that uses the Transmission Control Protocol TCP UDP The rule applies to an application that uses the User Control Protocol UCP Outgoing Trigger Start Port The start port 1 65534 of the range for triggering Port Range End Port The end port 1 65534 of the range for triggering Incoming Response Start Port The start port 1 65534 of the range for responding Port Range End Port The end port 1 65534 of the range for responding
453. ty before and after rollover Network Planning for Multiple WAN Ports 316 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 e Dual gateway WAN ports for load balancing VPN Gateway to Gateway Single Gateway WAN Ports Reference Case In a configuration with two single WAN port gateways either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance 10 5 6 0 24 172 23 9 0 24 Gateway to Gateway Example Single WAN Ports Gateway A Gateway B WAN IP WAN IP 10 5 6 1 FQDN 172 23 9 1 VPN Router etgear dyndns org 22 23 24 25 VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure 194 The IP address of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you need to use an FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway Dual Gateway WAN Ports for Improved Reliability In a configuration with two dual WAN port VPN gateways that function in auto rollover mode either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance In this example see the following figure port WAN_A1 is active and port WAN_A2 is inactive
454. type 54 connection type viewing 278 default port MAC addresses 279 failure detection method 34 36 load balancing mode configuring 36 38 DDNS 43 description 32 356 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN IPSec 134 mode status viewing 278 NAT mode 33 secondary IP addresses 41 single port mode 32 WAN aliases 41 WAN inbound rules DMZ WAN 97 LAN WAN 94 WAN interfaces primary and backup 34 WAN LEDs 16 295 WAN outbound rules DMZ WAN 96 LAN WAN 93 WAN ports connection status 286 description 10 14 WAN profiles QoS 46 51 WAN settings auto detecting 26 manually configuring 28 WAN status 27 285 297 WAN traffic meter or counter 263 264 warning messages syslog 273 warning SSL certificate 21 web components blocking 123 126 web management interface description 23 troubleshooting 295 weighted load balancing 37 WikKID CHAP and PAP 220 222 overview 341 344 WINS server DHCP 62 74 ModeConfig operation 178 wizard See Setup Wizard IPSec VPN Wizard SSL VPN Wizard X XAUTH extended authentication 172 176 357
455. uce the incidence of online identity theft NETGEAR Two Factor Authentication Solutions NETGEAR has implemented 2 Two Factor Authentication solutions from WiKID WiKID is the software based token solution So instead of using only Windows Active Directory or LDAP as the authentication server administrators now have the option to use WiKID to perform Two Factor Authentication on NETGEAR SSL and VPN firewall products The WiKID solution is based on a request response architecture where a one time passcode OTP which is time synchronized with the authentication server is generated and sent to the user after the validity of a user credential has been confirmed by the server The request response architecture is capable of self service initialization by end users dramatically reducing implementation and maintenance costs Here is an example of how WiKID works Two Factor Authentication 342 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To use WiKID for end users 1 Launch the WiKID token software enter the PIN that has been provided something the user knows and then click Continue to receive the OTP from the WiKID authentication server S ZID Aurpanricarion lars ubes File Actions Help Copyright 2001 2007 WIKID Systems Inc Passcode Request uD Enter your PIN for the Token client test domain PIN Figure 202 2 A one time passcode something the user has is generated aa WG
456. ueried and sometimes set by managing applications SNMP lets you monitor and manage your VPN firewall from an SNMP manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Manage the SNMP Configuration gt To create anew SNMP configuration entry 1 Select Administration gt SNMP The SNMP screen displays Administration Remote Management Settings Backup amp Upgrade Time Zone Osnmp System Info Operation succeeded IP Address Subnet Mask 172 120 34 12 255 255 255 0 Select All Delete Create New SNMP Configuration Entry IP Address Subnet Mask Figure 154 Network and System Management 254 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2 In the Create New SNMP Configuration Entry section of the screen enter the settings as explained in the following table Table 63 SNMP screen settings Setting Description IP Address The IP addresses of the SNMP management station that is allowed to receive the VPN firewall s SNMP traps Subnet Mask The subnet mask of the SNMP management station that is allowed to receive the VPN firewall s SNMP traps To allow a subnet access to the VPN firewall through SNMP enter a subnet mask of 255 255 255 0 In this situation the entire subnet that is associated with the IP address of the SNMP management station has access through the c
457. uld be active by selecting one of the following radio buttons Rate control All rate control QoS profiles that you configure are active but priority QoS profiles are not e Priority All priority QoS profiles that you configure are active but priority rate control profiles are not Click Apply to save your settings The List of QoS Profiles table shows the following columns all of which are explained in detail in the following table and Table 10 on page 50 e QoS Type The type of profile either Rate Control or Priority e Interface The WAN interface to which the profile applies WAN1 WAN2 WANS or WANA e Service The service to which the profile applies e Direction The WAN direction to which the profile applies inbound outbound or both e Rate The bandwidth rate in Kbps or priority e Hosts The IP address IP addresses or group to which the rate control profile applies The information in this column is not applicable to priority profiles e Action The Edit table button provides access to the Edit QoS screen for the corresponding profile To add a rate control QoS profile 1 2 Select Network Configuration gt QoS The QoS screen displays Under the List of QoS Profiles table click the Add table button The Add QoS screen displays The following figure shows settings for a rate control QoS profile Connecting the VPN Firewall to the Internet 47 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX
458. ur ISP e Ifthe auto detect process does not find a connection you are prompted either to check the physical connection between your VPN firewall and the cable or DSL line or to check your VPN firewall s MAC address For more information see Configure the WAN Mode on page 32 and Troubleshoot the ISP Connection on page 296 Verify the connection a Return to the WAN screen by selecting Network Configuration gt WAN Settings b Click the Status button in the Action column of the WAN interface that you just configured to display the Connection Status popup window Connection Status Operation succeeded Connection Time 0 Days 01 16 37 Connection Type Static IP Connection State Connected IP Address 10 34 116 22 Subnet Mask 255 255 255 248 Gateway 10 34 116 23 DNS Server 10 151 34 170 Aisconnect Figure 12 The WAN Status window should show a valid IP address and gateway If the configuration was not successful skip ahead to Manually Configure the Internet Connection on this page or see Troubleshoot the ISP Connection on page 296 Note If the configuration process was successful you are connected to the Internet through the WAN interfaces that you just configured Continue with the configuration process for the other WAN interfaces Connecting the VPN Firewall to the Internet 27 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note For more information about the WAN Connection Status scree
459. ut how to define QoS profiles see Create Quality of Service QoS Profiles on page 116 Bandwidth profile You can define bandwidth profiles and then apply them to inbound rules to limit traffic For information about how to define bandwidth profiles see Create Bandwidth Profiles on page 118 Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using the port triggering feature requires that you know the port numbers used by the application Without port triggering the response from the external application would be treated as a new connection Network and System Management 246 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked For the procedure on how to configure port triggering see Configure Port Triggering on page 130 DMZ Port The demilitarized zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers such as a web server FTP server or email server and provide public access to them The fourth LAN port on the VPN firewall the rightmost LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without c
460. uthentication XAUTH Configuration Note For more information about XAUTH and its authentication modes see Configure XAUTH for VPN Clients on page 173 Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information e None XAUTH is disabled This the default setting e Edge Device The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication modes that are available for this configuration are User Database RADIUS PAP or RADIUS CHAP e IPSec Host The VPN firewall functions as a VPN client of the remote gateway In this configuration the VPN firewall is authenticated by a remote gateway with a user name and password combination Virtual Private Networking Using IPSec Connections 164 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38 Add IKE Policy screen settings continued Setting Description XAUTH Configuration Authentication For an Edge Device configuration from the drop down list continued Type select one of the following authentication types e User Database XAUTH occurs through the VPN firewall s user database Users need to be added through the Add User screen see User Database Configuration on page 174 e Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The loc
461. ve algorithms to negotiate the security association SA e DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Authentication Algorithm From the drop down list select one of the following two algorithms to use in the VPN header for the authentication process SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Virtual Private Networking Using IPSec Connections 163 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38 Add IKE Policy screen settings continued Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method e Pre shared key A secret that is shared between the VPN firewall and the remote endpoint e RSA Signature Uses the active self certificate that you uploaded on the Certificates screen see Manage Self Signed Certificates on page 237 The pre shared key is masked out when you select the RSA Signature option Pre shared key A key with a minimum length of 8 characters no more than 49 characters Do not use a double quote in the key Diffie Hellman DH Group The DH Group sets the strength of the algorithm in
462. ve created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Note This field is not applicable to LAN DMZ rules Firewall Protection 85 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18 Outbound rules overview continued Setting Description Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link For more information see Create Bandwidth Profiles on page 118 Bandwidth limiting occurs in the following ways e For outbound traffic On the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic On the LAN interface for all WAN modes Note Bandwidth limiting does not apply to the DMZ interface Log The setting that determines whether packets covered by this rule are logged The options are e Always Always log traffic considered by this rule whether it matches or not This is useful when you are debugging your rules e Never Never log traffic considered by this rule whether it matches or not NAT IP The setting that specifies whether the source address of the outgoing packets o
463. ve the captured traffic flow The default file name is pkt CAP The file is downloaded to the location that you specify Send the file to NETGEAR technical support for analysis Monitoring System Access and Performance 292 Troubleshooting and Using Online Support This chapter provides troubleshooting tips and information for the VPN firewall After each problem description instructions are provided to help you diagnose and solve the problem For the common problems listed go to the section indicated Is the VPN firewall on Go to Basic Functioning on page 294 Have connected the VPN firewall correctly Go to Basic Functioning on page 294 cannot access the VPN firewall s web management interface Go to Troubleshoot the Web Management Interface on page 295 A time out occurs Go to When You Enter a URL or IP Address a Time Out Error Occurs on page 296 cannot access the Internet or the LAN Troubleshoot the ISP Connection on page 296 have problems with the LAN connection Go to Troubleshoot a TCP IP Network Using the Ping Utility on page 298 want to clear the configuration and start over again Go to Restore the Default Configuration and Password on page 299 The date or time is not correct Go to Problems with Date and Time on page 300 need help from NETGEAR Go to Access the Knowledge Base and Documentation on page 301 Note The VPN firewall s diagnostic tools are explained in Use the Diag
464. wall and content filtering engine and to monitor the users access to the Internet and the types of traffic that they are allowed to have See Chapter 9 Monitoring System Access and Performance for a description of these tools System Management System management tasks are described in the following sections e Change Passwords and Administrator Settings e Configure Remote Management Access e Using the Command Line Interface e Use a Simple Network Management Protocol Manager Manage the Configuration File e Configure Date and Time Service Change Passwords and Administrator Settings The default administrator and default guest passwords for the web management interface are both password NETGEAR recommends that you change the password for the administrator account to a more secure password and that you configure a separate secure password for the guest account Network and System Management 248 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To modify the administrator user account settings including the password 1 Select Users gt Users The Users screen displays The following figure shows the VPN firewalls default users admin and guest and as an example one other user in the List of Users table Help Name Group Type Authentication Domain Action admin geardomain Administrator geardomain edit H Policies quest geardomain Guest User geardomain edit E Policies CustomerSupportContract Customer
465. wall mynetgear net and the WAN IP address that your ISP assigned to the VPN firewall is displayed Using the Command Line Interface You can access the command line interface CLI using the console port on the rear panel of the VPN firewall see Rear Panel on page 16 You can access the CLI from a communications terminal when the VPN firewall is still set to its factory defaults or use your own settings if you have changed them Network and System Management 253 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 gt To access the CLI 1 From your computer s command line prompt enter the following command telnet 192 168 1 1 2 Enter admin and password when prompted for the login and password information or enter guest and password to log in as a read only guest 3 Enter exit to end the CLI session Any configuration changes made via the CLI are not preserved after a reboot or power cycle unless you issue the CLI save command after making the changes Use a Simple Network Management Protocol Manager Simple Network Management Protocol SNMP forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force IETF SNMP is used in network management systems to monitor network attached devices for conditions that warrant administrative attention SNMP exposes management data in the form of variables on the managed systems which describe the system configuration These variables can then be q
466. was assigned an IP address by the DHCP server then the name is appended by an asterisk e IP Address The current IP address of the PC or device For DHCP clients of the VPN firewall this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed e MAC Address The MAC address of the PC or device s network interface e Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group Monitoring System Access and Performance 287 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 drop down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen see Figure 35 on page 70 e Profile Name The VLAN to which the PC or device is assigned e Action The Edit table button that provides access to the Edit Groups and Hosts screen Note If the VPN firewall is rebooted the data in the Known PCs and Devices table is lost until the VPN firewall rediscovers the devices View the DHCP Log gt To review the most recent entries in the DHCP log 1 Select Network Configuration gt LAN Settings The LAN Settings submenu tabs display with the LAN Setup screen in view Figure 30 on page 59 2 Click the DHCP Log option arrow in the upper right of the LAN Setup screen The DHCP Log screen displays
467. with this priority with a ToS value of 0 e Minimize cost profile Used when data needs to be transferred over a link that has a lower cost You would typically mark the IP packets for services with this priority with a ToS value of 1 e Maximize reliability profile Used when data needs to travel to the destination over a reliable link and with little or no retransmission You would typically mark the IP packets for services with this priority with a ToS value of 2 e Maximize throughput profile Used when the volume of data transferred during an interval is important even if the latency over the link is high You would typically mark the IP packets for services with this priority with a ToS value of 3 or 4 e Minimize delay profile Used when the time required latency for the packet to reach the destination needs to be low You would typically mark the IP packets for services with this priority with a ToS value of 7 Note This document assumes that you are familiar with QoS concepts such QoS priority queues IP precedence DHCP and their values To create a QoS profile 1 Select Security gt Services gt QoS Profiles The QoS Profiles screen displays The following figure shows some profiles in the List of QoS Profiles table as an example Firewall Protection 116 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Configuration Security Schedule Firewall Address Filter Port Triggering UPnP Bandwidth Profile Co
468. ximum number of supported outbound rules is 300 and the maximum number of supported inbound rules is 300 The total number of supported inbound and outbound rules is therefore 600 Per traffic rule category LAN WAN DMZ WAN or LAN DMZ you can configure a total of 200 rules in any combination of outbound and inbound rules However the maximum number of outbound rules for all three categories cannot exceed 300 Similarly the maximum number of inbound rules for all three categories cannot exceed 300 Services Based Rules The rules to block traffic are based on the traffic s category of service e Outbound rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Inbound rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic e Customized services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic see Add Customized Services on page 112 e Quality of Service QoS priorities Each service has its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change the QoS priority which changes the traffic mix through the system see Create Quality of Se
469. y Port Triggering UPnP Bandwidth Profile Content Filtering Source MAC Filter BUFAETaInTInTy set Poll Interval Do you want to enable E mail Logs for IP MAC Binding Violation O Yes No For this option e mailing of logs must be enabled in Firewall Logs amp E mail page MAC Address IP Address Log Dropped Packets a1 c1 33 44 2a 2b 192 174 60 78 No eg Select All Delete Add IP MAC Binding Rule Name MAC Address IP Address Log Dropped Packets Add ul gogoac aia Figure 70 2 Enter the settings as explained in the following table Table 26 IP MAC Binding screen settings Setting Description Email IP MAC Violations Do you want to Select one of the following radio buttons enable E mail e Yes IP MAC binding violations are emailed Logs for IP MAC No IP MAC binding violations are not emailed Binding Violation Note Click the Firewall Logs amp E mail page link to ensure that emailing of logs is enabled on the Email and Syslog screen see Activate Notification of Events Alerts and Syslogs on page 269 IP MAC Bindings Name A descriptive name of the binding for identification and management purposes MAC Address The MAC address of the PC or device that is bound to the IP address IP Address The IP address of the PC or device that is bound to the MAC address Log Dropped To log the dropped packets select Enable from the drop down list The default setting Packets is Di
470. y log in to the portal for example In case of login difficulty call 123 456 7890 Enter a plain text message or include HTML and JavaScript tags The maximum length of the login page message is 4096 characters Note For an example see Figure 132 on page 217 The banner message text is displayed in the gray header bar Display banner Select this check box to show the banner title and banner message text on the message on login page login screen as shown in Figure 132 on page 217 HTTP meta tags for Select this check box to apply HTTP meta tag cache control directives to this cache control portal layout Cache control directives include recommended lt meta http equiv pragma content no cache gt lt meta http equiv cache control content no cache gt lt meta http equiv cache control content must revalidate gt Note NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out of date web pages themes and data being stored in a user s web browser cache ActiveX web cache Select this check box to enable ActiveX cache control to be loaded when users cleaner log in to the SSL VPN portal The web cache cleaner prompts the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the web browser window The ActiveX web cache control is ignored by web browsers that do not support Activex SSL VPN Portal Page
471. y the rule to a single device on your LAN e Address range Enter the required addresses in the Start and End fields to apply the rule to a range of devices e Groups Select the group to which the rule applies Use the LAN Groups screen to assign PCs to groups See Manage Groups and Hosts LAN Groups on page 67 e IP Group Select the IP group to which the rule applies Use the IP Groups screen to assign IP addresses to groups See Create IP Groups on page 114 Note For LAN WAN inbound rules this field is not applicable when the WAN mode is NAT because your network presents only one IP address to the Internet WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are e Any All Internet IP address are covered by this rule e Single address Enter the required address in the Start field e Address range Fill in the Start and End fields e IP Group Select the IP group to which the rule applies Use the IP Groups screen to assign IP addresses to groups See Create IP Groups on page 114 DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are e Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and End fields to apply the rule to a range of DMZ computers Note For
472. your VPN firewall is unable to obtain an IP address from the ISP you might need to force your modem or router to recognize your new VPN firewall by performing the following procedure 1 Turn off the power to the modem or router 2 Turn off the power to your VPN firewall 3 Wait 5 minutes and then turn on the power to the modem or router 4 When the modems or router s LEDs indicate that it has reacquired synchronization with the ISP turn on the power to your VPN firewall If your VPN firewall is still unable to obtain an IP address from the ISP the problem might be one of the following e Your ISP might require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e If your ISP requires a login you might have incorrectly set the login name and password e Your ISP might check for your PC s host name Enter the host name system name or account name that was assigned to you by your ISP in the Account Name field on the WAN ISP Settings screen for the WAN interface that you are troubleshooting You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configure the Internet Connection on page 28 e Your ISP allows only one Ethernet MAC address to connect to the Internet and might check for your PC s MAC address In this case do one of the following Inform your ISP t
473. yy com as the domain name ISP Host Name ISP Domain Name e Fully Qualified Domain Name Some organizations use a fully qualified domain name FQDN from a Dynamic DNS service provider for their IP addresses Dynamic DSN Service Provider FQDN Network Planning for Multiple WAN Ports 309 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following e Inbound traffic port forwarding port triggering e Outbound traffic protocol binding e Virtual private networks VPNs Two WAN ports can be configured on a mutually exclusive basis to either of the following e auto rollover for increased reliability e load balance for outgoing traffic These various types of traffic and auto rollover or load balancing all interact to make the planning process more challenging Inbound traffic Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded The mechanism for making the IP address public depends on whether the dual WAN ports are configured for auto rollover or load balancing e Virtual private networks A virtual private network VPN tunnel provides a secure communication channel either between two gateway VPN firewalls or between a remote PC client and gateway VPN firewall As a result the IP address of at least one of the tunnel en
Download Pdf Manuals
Related Search