1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 35
Page 171 / 469 Scroll up to view Page 166 - 170
Firewall Protection
171
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
2.
Enter the settings as described in the following table:
Table 35.
Attack Checks screen settings for IPv4
Setting
Description
WAN Security Checks
Respond to Ping on
Internet Ports
Select the
Respond to Ping on Internet Ports
check box to enable the VPN firewall
to respond to a ping from the Internet to its IPv4 address. A ping can be used as a
diagnostic tool. Keep this check box cleared unless you have a specific reason to
enable the VPN firewall to respond to a ping from the Internet.
Enable Stealth Mode
Select the
Enable Stealth Mode
check box (which is the default setting) to prevent
the VPN firewall from responding to port scans from the WAN, thus making it less
susceptible to discovery and attacks.
Block TCP flood
Select the
Block TCP flood
check box (which is the default setting) to enable the
VPN firewall to drop all invalid TCP packets and to protect the VPN firewall from a
SYN flood attack.
A SYN flood is a form of denial of service attack in which an attacker sends a
succession of SYN (synchronize) requests to a target system. When the system
responds, the attacker does not complete the connections, thus leaving the
connection half open and flooding the server with SYN messages. No legitimate
connections can then be made.
LAN Security Checks
Block UDP flood
Select the
Block UDP flood
check box (which is the default setting) to prevent the
VPN firewall from accepting more than a specified number of simultaneous, active
User Datagram Protocol (UDP) connections from a single device on the LAN.
In the field, enter the number of connections per second that define a UDP flood. You
can enter a number from 1 to 40. The default value is 40. The VPN firewall drops
UDP packets that exceed the specified number of connections per second.
A UDP flood is a form of denial of service attack that can be initiated when one
device sends many UDP packets to random ports on a remote host. As a result, the
distant host does the following:
1.
Checks for the application listening at that port.
2.
Sees that no application is listening at that port.
3.
Replies with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
Disable Ping Reply
on LAN Ports
Select the
Disable Ping Reply on LAN Ports
check box to prevent the VPN firewall
from responding to a ping on a LAN port. A ping can be used as a diagnostic tool.
Keep this check box cleared unless you have a specific reason to prevent the VPN
firewall from responding to a ping on a LAN port.
Page 172 / 469
Firewall Protection
172
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
3.
Click
Apply
to save your settings.
IPv6 Attack Checks
To enable IPv6 attack checks for your network environment:
1.
Select
Security > Firewall > Attack Checks
.
2.
In the upper right of the screen, select the
IPv6
radio button. The Attack Checks screen
displays the IPv6 settings:
Figure 101.
3.
Configure the following settings:
Respond to Ping on Internet Ports
.
Select the
Respond to Ping on Internet Ports
check box to enable the VPN firewall to respond to a ping from the Internet to its IPv6
address. A ping can be used as a diagnostic tool. Keep this check box cleared unless
you have a specific reason to enable the VPN firewall to respond to a ping from the
Internet.
IPsec
. Select the
IPsec
check box to enable IPSec VPN traffic that is initiated from
the LAN to reach the WAN, irrespective of the default firewall outbound policy and
custom firewall rules.
4.
Click
Apply
to save your settings.
VPN Pass through
IPSec
PPTP
L2TP
When the VPN firewall functions in NAT mode, all packets going to the remote VPN
gateway are first filtered through NAT and then encrypted according to the VPN
policy. For example, if a VPN client or gateway on the LAN side of the VPN firewall
wants to connect to another VPN endpoint on the WAN side (placing the VPN firewall
between two VPN endpoints), encrypted packets are sent to the VPN firewall.
Because the VPN firewall filters the encrypted packets through NAT, the packets
become invalid unless you enable the VPN Pass through feature.
To enable the VPN tunnel to pass the VPN traffic without any filtering, select any or
all of the following check boxes:
IPSec
. Disables NAT filtering for IPSec tunnels.
PPTP
. Disables NAT filtering for PPTP tunnels.
L2TP
. Disables NAT filtering for L2TP tunnels.
By default, all three check boxes are selected.
Table 35.
Attack Checks screen settings for IPv4 (continued)
Setting
Description
Page 173 / 469
Firewall Protection
173
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Set Limits for IPv4 Sessions
The session limits feature allows you to specify the total number of sessions that are allowed,
per user, over an IPv4 connection across the VPN firewall. The session limits feature is
disabled by default.
To enable and configure session limits:
1.
Select
Security > Firewall > Session Limit
.
The Session Limit screen displays:
Figure 102.
2.
Select the
Yes
radio button under Do you want to enable Session Limit?
3.
Enter the settings as described in the following table:
Table 36.
Session Limit screen settings
Setting
Description
Session Limit
Session Limit Control
From the drop-down list, select one of the following options:
When single IP exceeds
. When the limit is reached, no new session is
allowed from the IP address. A new session is allowed only when an existing
session is terminated or times out. You need to specify the action and period
by selecting one of the following radio buttons:
-
Block IP to add new session for
. No new session is allowed from the IP
address for a period. In the time field, specify the period in seconds.
-
Block IP's all connections for
. All sessions from the IP address are
terminated, and new sessions are blocked for a period. In the time field,
specify the period in seconds.
Single IP Cannot Exceed
. When the limit is reached, no new session is
allowed from the IP address for a specified period, or all sessions from the IP
address are terminated and new sessions are blocked for a specified period.
Page 174 / 469
Firewall Protection
174
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Click
Apply
to save your settings.
Configure Multicast Pass-Through for IPv4 Traffic
IP multicast pass-through allows multicast packets that originate in the WAN, such as packets
from a media streaming or gaming application, to be forwarded to the LAN subnet. Internet
Group Management Protocol (IGMP) is used to support multicast between IP hosts and their
adjacent neighbors.
To configure multicast pass-through:
1.
Select
Security > Firewall > IGMP
.
The IGMP screen displays. (The following figure
shows one alternate network as an example.)
User Limit Parameter
From the User Limit Parameter drop-down list, select one of the following options:
Percentage of Max Sessions
. A percentage of the total session connection
capacity of the VPN firewall.
Number of Sessions
. An absolute number of maximum sessions.
User Limit
Enter a number to indicate the user limit. Note the following:
If the User Limit Parameter is set to Percentage of Max Sessions, the number
specifies the maximum number of sessions that are allowed from a
single-source device as a percentage of the total session connection capacity
of the VPN firewall. (The session limit is per-device based.)
If the User Limit Parameter is set to Number of Sessions, the number specifies
an absolute value.
Note:
Some protocols such as FTP and RSTP create two sessions per connection,
which you should consider when you configure a session limit.
Total Number of
Packets Dropped due
to Session Limit
This is a nonconfigurable counter that displays the total number of dropped packets
when the session limit is reached.
Session Timeout
TCP Timeout
For each protocol, specify a time-out in seconds. A session expires if no data for
the session is received during the time-out period. The default time-out periods are
3600 seconds for TCP sessions, 180 seconds for UDP sessions, and 120
seconds
for ICMP sessions.
UDP Timeout
ICMP Timeout
Table 36.
Session Limit screen settings (continued)
Setting
Description
Page 175 / 469
Firewall Protection
175
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 103.
2.
In the Multicast Pass through section of the screen, select the
Yes
radio button to enable
multicast pass-through. (By default, the Yes radio button is selected and multicast
pass-through is enabled.)
When you enable multicast pass-through, an Internet Group Management Protocol
(IGMP) proxy is enabled for the upstream (WAN) and downstream (LAN) interfaces. This
proxy allows the VPN firewall to forward relevant multicast traffic from the WAN to the
LAN, and to keep track of the IGMP group membership when LAN hosts join or leave the
multicast group.
3.
If load balancing is configured, select the upstream interface to which multicast traffic is
bound because only a single interface can function as the upstream interface. From the Bind
Upstream Interface to drop-down list, select the interface. The default interface is WAN1.
When you change the WAN mode to load balancing, multicast traffic is bound by default
to the active interface of the previous WAN mode.
If the interface to which multicast traffic is bound is configured for PPPoE or PPTP, you
need to add the multicast source address to the Alternate Networks table:
a.
In the Alternate Networks section of the screen, below the table, enter the following
settings:
IP Address
. Enter the multicast source IP address.
Subnet Mask
. Enter the subnet mask for the multicast source address.
b.
Click the
Add
table button in the rightmost column to add the multicast source
address to the Alternate Networks table.
Repeat
Step
a
and
Step
b
for each multicast source address that you need to add to
the Alternate Networks table.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top