6

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .147

Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .149

Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .154

Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .156

Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .160

Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .162

Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . .168

Configure Other Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Configure Multicast Pass-Through for IPv4 Traffic. . . . . . . . . . . . . . . .174

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . .176

Services, Bandwidth Profiles, and QoS Profiles. . . . . . . . . . . . . . . . . . . .176

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Create Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . .184

Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . . . .186

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .189

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Chapter 5

Virtual Private Networking Using

IPSec

and

L2TP Connections

Considerations for Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .202

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .203

Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . .204

Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . .208

Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . .212

Test the Connection and View Connection and Status Information. . . . .227

Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .227

NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . .230

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

7

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .245

Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .247

Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .250

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Configure Mode Config Operation on the VPN Firewall . . . . . . . . . . . .250

Configure the ProSafe VPN Client for Mode Config Operation . . . . . .257

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .264

Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .268

Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

View the Active L2TP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

Chapter 6

Virtual Private Networking Using

SSL

Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .276

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .281

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .282

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

Add a New Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .285

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .288

Add New Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .289

Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .291

View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .293

Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . .297

View the SSL VPN Connection Status and SSL VPN Log. . . . . . . . . . . .299

Chapter 7

Manage Users, Authentication, and VPN

Certificates

The VPN Firewall’s Authentication Process and Options. . . . . . . . . . . . .302

Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .303

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

8

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .318

Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .320

VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .323

Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .326

Chapter 8

Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .335

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .336

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Change Passwords and Administrator and Guest Settings . . . . . . . . .336

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .338

Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .342

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Chapter 9

Monitor System Access and Performance

Configure and Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . .356

Configure and Enable the LAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . .359

Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .362

How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . .367

View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the VPN Connection Status, L2TP Users, and PPTP Users . . . .378

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . .385

Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389

Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Reboot the VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Chapter 10

Troubleshooting

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

9

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . .394

When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .395

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .397

Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .400

Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .400

Test the Path from Your Computer to a Remote Device . . . . . . . . . . .401

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .401

Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .403

Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .403

Appendix A

Default Settings and Technical Specifications

Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Appendix B

Network Planning for Multiple WAN Ports

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .414

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .415

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .415

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .416

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .420

Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .422

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425

VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .427

Appendix C

System Logs and Error Messages

Log Message Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .434

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

LAN to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

10

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Appendix D

Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .450

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .450

What Is Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . .450

NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .451

Appendix E

Notification of Compliance

Index