1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 29
Page 141 / 218 Scroll up to view Page 136 - 140
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using SSL
7-13
v1.0, October 2008
Using Network Resource Objects to Simplify Policies
Network resources are groups of IP addresses, IP address ranges, and services. By defining
resource objects, you can more quickly create and configure network policies. You will not need to
redefine the same set of IP addresses or address ranges when configuring the same access policies
for multiple users.
Defining network resources is optional; smaller organizations can choose to create access policies
using individual IP addresses or IP networks rather than predefined network resources. But for
most organizations, we recommend that you use network resources. If your server or network
configuration changes, by using network resources you can perform an update quickly instead of
individually updating all of the user and group policies.
Adding New Network Resources
To define a network resource:
1.
Select
VPN > SSL VPN
from the main/submenu, and then select the Resources tab. The
Resources screen displays.
2.
In the
Add New Resource
section, type the (qualified) resource name in the
Resource Name
field.
3.
In the
Service
pull-down menu, select the type of service to apply to the resource: either VPN
Tunnel or Port Forwarding.
4.
Click
Add
.
The “Operation succeeded” message appears at the top of the tab, and the newly-added
resource name appears on the List of Resources table.
Figure 7-6
Page 142 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
7-14
Virtual Private Networking Using SSL
v1.0, October 2008
5.
Adjacent to the new resource, click the
Edit
button. The
Add Resource Addresses
screen
displays.
6.
From the
Object Type
pull-down menu, select either IP Address or IP Network:
If you selected IP Address, enter an IP address or fully qualified domain name in the
IP
Address/Name
field.
If you selected IP Network, enter the IP network address in the
Network Address
field.
Enter the mask length in the
Mask Length
(0-31) field.
7.
Enter the
Port Range or Port Number
for the IP Address or IP Network you selected.
8.
Click
Apply
to add the IP address or IP network to the resource. The new configuration
appears in the
Defined Resource Addresses
table, as shown in
Figure 7-7
.
Configuring User, Group, and Global Policies
An administrator can define and apply user, group and global policies to predefined network
resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN
services. A specific hierarchy is invoked over which policies take precedence. The firewall policy
hierarchy is defined as:
1.
User Policies take precedence over all Group Policies.
2.
Group Policies take precedence over all Global Policies.
3.
If two or more user, group, or global policies are configured,
the most specific policy
takes
precedence.
Figure 7-7
Page 143 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using SSL
7-15
v1.0, October 2008
For example, a policy configured for a single IP address takes precedence over a policy configured
for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over
a policy applied to all IP addresses. If two or more IP address ranges are configured, then the
smallest address range takes precedence. Hostnames are treated the same as individual IP
addresses.
Network resources are prioritized just like other address ranges. However, the prioritization is
based on the individual address or address range, not the entire network resource.
For example, let’s assume the following global policy configuration:
Policy 1: A Deny rule has been configured to block all services to the IP address range
10.0.0.0 – 10.0.0.255.
Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10.
Policy 3: A Permit rule has been configured to allow FTP access to the predefined network
resource, FTP Servers. The FTP Servers network resource includes the following addresses:
10.0.0.5 – 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3.
Assuming that no conflicting user or group policies have been configured, if a user attempted to
access:
An FTP server at 10.0.0.1, the user would be blocked by Policy 1.
An FTP server at 10.0.1.5, the user would be blocked by Policy 2.
An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address
range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1.
An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single
host name is more specific than the IP address range configured in Policy 2.
Viewing Policies
To view the existing policies, follow these steps:
Note:
The user would not be able to access ftp.company.com using its IP address
10.0.1.3. The firewall policy engine does not perform reverse DNS lookups.
Page 144 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
7-16
Virtual Private Networking Using SSL
v1.0, October 2008
1.
Select
VPN
>
SSL VPN
from the main/submenu, and then select the Policies tab. The Policies
screen will display.
2.
Make your selection from the following Query options:
Click
Global
to view all global policies.
Click
Group
to view group policies, and choose the relevant group’s name from the pull-
down menu.
Click
User
to view group policies, and choose the relevant user’s name from the pull-
down menu.
3.
Click the
Display
button. The List of SSL VPN Policies will display the list for your selected
Query option. Change Query selection and click display again for each of the three queries.
Adding a Policy
To add a policy, follow these steps:
1.
Select
VPN
>
SSL VPN
from the main/submenu, and select the Policies tab. The Policies
screen displays.
2.
Make your selection from the following Query options:
Figure 7-8
Figure 7-9
Page 145 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using SSL
7-17
v1.0, October 2008
Click
Global
if this new policy is to exclude all users and groups.
Click
Group
if this new policy is to be limited to a selected group.
Open the pull-down menu and choose the relevant group’s name.
Click
User
if this new policy is to be limited to a selected user.
Open the pull-down menu and choose the individual user’s name.
3.
Click
Add
. The
Add Policies
screen appears.
4.
In the
Add SSL VPN Policies
section, review the
Apply Policy To
options and click one.
Depending upon your selection, specific options to the right are activated or inactivated as
noted in the following:
If you choose
Network Resource
, you’ll need to enter a descriptive Policy Name, then
choose a
Defined Resource
and relevant
Permission
(PERMIT or DENY) from the pull-
down menus.
If a needed network resource has not been defined, you can add it before proceeding with
this new policy. See
“Adding New Network Resources ” on page 7-13
.
If you choose
IP Address
, you’ll need to enter a descriptive
Policy Name
, the specific
IP
Address
, then choose the
Service
and relevant
Permission
from the pull-down menus.
Note:
You should have already created the needed groups or users as described in
“Adding Authentication Domains, Groups, and Users” on page 8-1
.
Figure 7-10

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top