1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 34
Page 166 / 469 Scroll up to view Page 161 - 165
Firewall Protection
166
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Tip:
If you arrange with your ISP to have more than one public IP address for
your use, you can use the additional public IP addresses to map to
servers on your LAN or DMZ. One of these public IP addresses is used
as the primary IP address of the router that provides Internet access to
your LAN computers through NAT. The other addresses are available to
map to your servers.
To configure the VPN firewall for additional IP addresses:
1.
Select
Security > Firewall
. The Firewall submenu tabs display.
2.
If your server is to be on your LAN, click the
LAN WAN Rules
submenu tab. (If your server
is to be on your DMZ, click the
DMZ WAN Rules
submenu tab.)
3.
In the upper right of the LAN WAN Rules screen, the IPv4 radio button is selected by default.
The screen displays the IPv4 setting.
Click the
Add
table button under the Inbound Services table. The Add LAN WAN Inbound
Service screen displays:
Figure 95.
4.
From the Service drop-down list, select
HTTP
for a web server.
5.
From the Action drop-down list, select
ALLOW Always
.
6.
In the Send to LAN Server field, enter the local IP address of your web server (192.168.1.2
in this example).
7.
From the WAN Destination IP Address drop-down list, select the web server. In this
example, the secondary 192.168.50.1 (WAN2) address is shown. You first need to define
Page 167 / 469
Firewall Protection
167
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
this address on the WAN2 Secondary Addresses screen (see
Configure Secondary WAN
Addresses
on page
47) before you can select it from the WAN Destination IP Address
drop-down list.
8.
Click
Apply
to save your settings. The rule is now added to the Inbound Services table of
the LAN WAN Rules screen.
To test the connection from a computer on the Internet, type
http://
<IP_address>
, in which
<IP_address>
is the public IP address that you have mapped to your web server in
Step
6
.
You should see the home page of your web server.
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed
Host
Specifying an exposed host allows you to set up a computer or server that is available to
anyone on the Internet for services that you have not yet defined.
WARNING:
Do not set up an exposed host from a remote connection because
you will likely lock yourself out from the VPN firewall.
To expose one of the computers on your LAN or DMZ as this host:
1.
Create an inbound rule that allows all protocols.
2.
Place the rule below all other inbound rules.
See an example in the following figure.
Figure 96.
1. Select Any and Allow Always (or Allow by Schedule).
2. Place the rule below all other inbound rules.
Page 168 / 469
Firewall Protection
168
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
WARNING:
For security, NETGEAR strongly recommends that you avoid
creating an exposed host. When a computer is designated as the
exposed host, it loses much of the protection of the firewall and is
exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to
a Single LAN User
If you want to restrict incoming RTelnet sessions from a single IPv6 WAN user to a single
IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address.
See an example in the following figure.
Figure 97.
Examples of Outbound Firewall Rules
Outbound rules let you prevent users from using applications such as Instant Messenger,
Real Audio, or other nonessential sites.
IPv4 LAN WAN Outbound Rule: Block Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can
create an outbound rule to block such an application from any internal IP address to any
external address according to the schedule that you have created on the Schedule screen.
The schedule should specify working hours.
You can also enable the VPN firewall to log any attempt to use Instant Messenger during the
blocked period. See an example in the following figure.
Page 169 / 469
Firewall Protection
169
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 98.
IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an
FTP Site on the Internet
If you want to allow a group of DMZ users to access a particular FTP site on the Internet
during working hours, you can create an outbound rule to allow such traffic by specifying the
IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen,
create a schedule that specifies working hours, and assign it to the rule.
You can also configure the QoS profile to maximize the throughput. See an example in the
following figure.
Figure 99.
Page 170 / 469
Firewall Protection
170
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Configure Other Firewall Features
Attack Checks
Set Limits for IPv4 Sessions
Configure Multicast Pass-Through for IPv4 Traffic
Manage the Application Level Gateway for SIP Sessions
You can configure attack checks, set session limits, configure multicast pass-through, and
manage the application level gateway (ALG) for SIP sessions.
Attack Checks
The Attack Checks screen allows you to specify whether the VPN firewall should be
protected against common attacks in the DMZ, LAN, and WAN networks. The various types
of IPv4 attack checks are listed on the Attack Checks
screen and defined in
Table
35
on
page
171. For IPv6, the only options are to specify whether to allow a ping on the WAN port
and whether to allow VPN pass-through for IPSec.
IPv4 Attack Checks
To enable IPv4 attack checks for your network environment:
1.
Select
Security > Firewall > Attack Checks
.
In the upper right of the screen, the IPv4
radio button is selected by default. The Attack Checks screen displays the IPv4 settings:
Figure 100.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top