1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 67
Page 331 / 469 Scroll up to view Page 326 - 330
Network and System Management
331
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
LAN users (or DMZ users)
.
You can specify which computers on your network are
affected by an outbound rule. There are several options:
-
Any
.
The rule applies to all computers and devices on your LAN or DMZ.
-
Single address
.
The rule applies to the address of a particular computer.
-
Address range
. The rule applies to a range of addresses.
-
Groups
.
The rule applies to a group of computers. (You can configure groups for LAN
WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs and
Devices table is an automatically maintained list of all known computers and network
devices and is generally referred to as the network database, which is described in
Manage the Network Database
on page
97. Computers and network devices are
entered into the network database by various methods, which are described in
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
on page
96.
-
IP Groups
. The rule applies to a group of individual LAN IP addresses. Use the IP
Groups screen (under the Network Security main navigation menu) to assign IP
addresses to groups. For more information, see
Create IP Groups
on page
179. (LAN
IP groups do not apply to DMZ WAN outbound rules.)
WAN users
.
You can specify which Internet locations are covered by an outbound rule,
based on their IP address:
-
Any
. The rule applies to all Internet IP address.
-
Single address
. The rule applies to a single Internet IP address.
-
Address range
. The rule applies to a range of Internet IP addresses.
-
IP Groups
. The rule applies to a group of individual WAN IP addresses. Use the IP
Groups screen (under the Network Security main navigation menu) to assign IP
addresses to groups. For more information, see
Create IP Groups
on page
179.
Schedule
. You can configure three different schedules to specify when a rule is applied.
Once a schedule is configured, it affects all rules that use this schedule. You specify the
days of the week and time of day for each schedule. For more information, see
Set a
Schedule to Block or Allow Specific Traffic
on page
189.
QoS profile
. You can apply QoS profiles to outbound rules to regulate the priority of
traffic. For information about QoS profiles, see
Create Quality of Service Profiles for IPv4
Firewall Rules
on page
184.
Bandwidth profile
. You can define bandwidth profiles and then apply them outbound
LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.)
For information about how to define bandwidth profiles, see
Create Bandwidth Profiles
on
page
181.
Content Filtering
If you want to reduce traffic by preventing access to certain sites on the Internet, you can use
the VPN firewall’s content-filtering feature. By default, this feature is disabled; all requested
traffic from any website is allowed.
Page 332 / 469
Network and System Management
332
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
In order to reduce traffic, the VPN firewall provides the following methods to filter web
content:
Keyword blocking
.
You can specify words that, should they appear in the website name
(URL) or newsgroup name, cause that site or newsgroup to be blocked by the VPN
firewall.
Web object blocking
. You can block the following web component types: embedded
objects (ActiveX and Java), proxies, and cookies.
To further narrow down the content filtering, you can configure groups to which the
content-filtering rules apply and trusted domains for which the content-filtering rules do not
apply.
Source MAC Filtering
If you want to reduce outgoing traffic by preventing Internet access by certain computers on
the LAN, you can use the source MAC filtering feature to drop the traffic received from the
computers with the specified MAC addresses. By default, this feature is disabled; all traffic
received from computers with any MAC address is allowed. See
Enable Source MAC
Filtering
on page
190 for the procedure on how to use this feature.
Features That Increase Traffic
The following features of the VPN firewall tend to increase the traffic load on the WAN side:
LAN WAN inbound rules (also referred to as port forwarding)
DMZ WAN inbound rules (also referred to as port forwarding)
Port triggering
Enabling the DMZ port
Configuring exposed hosts
Configuring VPN tunnels
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)
The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for
inbound traffic (from WAN to LAN and from WAN to the DMZ). Any inbound rule that you
create allows additional incoming traffic and therefore increases the traffic load on the WAN
side.
ON the LAN WAN screen, if you have not defined any rules, only the default rule is listed. The
default LAN WAN inbound rule blocks all access from outside except responses to requests
from the LAN side.
WARNING:
Incorrect configuration of inbound firewall rules can cause
serious connection problems.
Page 333 / 469
Network and System Management
333
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Each rule lets you specify the desired action for the connections covered by the rule:
BLOCK always
BLOCK by schedule, otherwise allow
ALLOW always
ALLOW by schedule, otherwise block
The following section summarizes the various criteria that you can apply to inbound rules and
that might increase traffic. For more information about inbound rules, see
Inbound Rules
(Port Forwarding)
on page
140. For detailed procedures on how to configure inbound rules,
see
Configure LAN WAN Rules
on page
145 and
Configure DMZ WAN Rules
on page
152.
When you define inbound firewall rules, you can further refine their application according to
the following criteria:
Services
. You can specify the services or applications to be covered by an inbound rule.
If the desired service or application does not display in the list, you need to define it using
the Services screen (see
Inbound Rules (Port Forwarding)
on page
140 and
Add
Customized Services
on page
177).
WAN destination IP address
. You can specify the destination IP address for incoming
traffic. Traffic is directed to the specified address only when the destination IP address of
the incoming packet matches the IP address of the selected WAN interface.
LAN users (or DMZ users)
.
Only when the IPv4 routing mode is Classical Routing, you
can specify which computers on your network are affected by an inbound rule. When
Classical Routing is enabled, there are several options:
-
Any
.
The rule applies to all computers and devices on your LAN or DMZ.
-
Single address
.
The rule applies to the address of a particular computer.
-
Address range
. The rule applies to a range of addresses.
-
Groups
.
The rule is applied to a group of computers. (You can configure groups for
LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs
and Devices table is an automatically maintained list of all known computers and
network devices and is generally referred to as the network database, which is
described in
Manage the Network Database
on page
97. Computers and network
devices are entered into the network database by various methods, which are
described in
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
on page
96.
-
IP Groups
. The rule applies to a group of individual LAN IP addresses. Use the IP
Groups screen (under the Network Security main navigation menu) to assign IP
addresses to groups. For more information, see
Create IP Groups
on page
179. (LAN
IP groups do not apply to DMZ WAN inbound rules.)
WAN users
.
You can specify which Internet locations are covered by an inbound rule,
based on their IP address:
-
Any
. The rule applies to all Internet IP address.
-
Single address
. The rule applies to a single Internet IP address.
Page 334 / 469
Network and System Management
334
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
-
Address range
. The rule applies to a range of Internet IP addresses.
-
IP Groups
. The rule applies to a group of individual WAN IP addresses. Use the IP
Groups screen (under the Network Security main navigation menu) to assign IP
addresses to groups. For more information, see
Create IP Groups
on page
179.
Schedule
. You can configure three different schedules to specify when a rule is applied.
Once a schedule is configured, it affects all rules that use this schedule. You specify the
days of the week and time of day for each schedule. For more information, see
Set a
Schedule to Block or Allow Specific Traffic
on page
189.
Bandwidth profile
. You can define bandwidth profiles and then apply them to inbound
LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.)
For information about how to define bandwidth profiles, see
Create Bandwidth Profiles
on
page
181.
Port Triggering
Port triggering allows some applications running on a LAN network to be available to external
applications that would otherwise be partially blocked by the firewall. Using the port triggering
feature requires that you know the port numbers used by the application. Without port
triggering, the response from the external application would be treated as a new connection
request rather than a response to a request from the LAN network. As such, it would be
handled in accordance with the inbound port forwarding rules, and most likely would be
blocked.
For the procedure on how to configure port triggering, see
Configure Port Triggering
on
page
197.
DMZ Port
The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions
when compared to the LAN. The DMZ can be used to host servers (such as a web server,
FTP server, or email server) and provide public access to them. The fourth LAN port on the
VPN firewall (the rightmost LAN port) can be dedicated as a hardware DMZ port to safely
provide services to the Internet without compromising security on your LAN. By default, the
DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port
and allowing traffic to and from the DMZ increases the traffic through the WAN ports.
For information about how to enable the DMZ port, see
Enable and Configure the DMZ Port
for IPv4 and IPv6 Traffic
on page
114. For the procedures about how to configure DMZ traffic
rules, see
Configure DMZ WAN Rules
on page
152.
Exposed Hosts
Specifying an exposed host allows you to set up a computer or server that is available to
anyone on the Internet for services that you have not yet defined. For an example of how to
set up an exposed host, see
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an
Exposed Host
on page
167.
Page 335 / 469
Network and System Management
335
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
VPN, L2TP, and PPTP Tunnels
The VPN firewall supports site-to-site IPSec VPN tunnels, dedicated SSL VPN tunnels, L2TP
tunnels, and PPTP tunnels. Each tunnel requires extensive processing for encryption and
authentication, thereby increasing traffic through the WAN ports.
For information about IPSec VPN, L2TP, and PPTP tunnels, see
Chapter 5, Virtual Private
Networking Using IPSec
and
L2TP Connections
. For information about SSL VPN tunnels,
see
Chapter 6, Virtual Private Networking Using SSL
Connections
.
Use QoS and Bandwidth Assignment to Shift the Traffic Mix
By setting the QoS priority and assigning bandwidth profiles to firewall rules, you can shift the
traffic mix to aim for optimum performance of the VPN firewall.
Set QoS Priorities
The QoS priority settings determine the Quality of Service for the traffic passing through the
VPN firewall.
You can create and assign QoS profiles to WAN interfaces. For more information about QoS
profiles for WAN interfaces, see
Configure WAN QoS Profiles
on page
76.
You can also create and assign a QoS profile (IPv4) or QoS priority (IPv6) to LAN WAN and
DMZ WAN outbound firewall rules. The QoS is set individually for each firewall rule. You can
change the mix of traffic through the WAN ports by granting some services a higher priority
than others:
You can accept the default priority defined by the service itself by not changing its QoS
priority.
You can change the priority to a higher or lower value than its default setting to give the
service higher or lower priority than it otherwise would have.
For more information about QoS profiles, see
Create Quality of Service Profiles for IPv4
Firewall Rules
on page
184 and
Quality of Service Priorities for IPv6 Firewall Rules
on
page
186.
Assign Bandwidth Profiles
When you set the QoS priority, the WAN bandwidth does not change. You change the WAN
bandwidth that is assigned to a service or application by applying a bandwidth profile to a
LAN WAN inbound or outbound rule. The purpose of bandwidth profiles is to provide a
method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while
preventing them from consuming all the bandwidth on your WAN links.
For more information about bandwidth profiles, see
Create Bandwidth Profiles
on page
181.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top