Netgear SRX5308 SRX5308 Reference Manual
Netgear SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall Manual
 |
UPC - 606449065145
View all Netgear SRX5308 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear SRX5308 manual content summary:
- Netgear SRX5308 | SRX5308 Reference Manual - Page 1
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10536-01 April 2010 v1.0 - Netgear SRX5308 | SRX5308 Reference Manual - Page 2
or circuit layout(s) described herein. The NETGEAR® ProSafe™ Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual describes how to install, configure, and troubleshoot a ProSafe Gigabit Quad WAN SSL VPN Firewall. The information in this manual is intended for readers with intermediate computer - Netgear SRX5308 | SRX5308 Reference Manual - Page 3
to Print This Manual xii Revision History ...xii Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall 1-1 Key Features and Capabilities 1-2 Quad-WAN Ports for Increased Reliability and Outbound Load Balancing 1-3 Advanced VPN Support for Both IPsec and SSL 1-3 A Powerful - Netgear SRX5308 | SRX5308 Reference Manual - Page 4
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Logging In to the VPN Firewall 2-3 Understanding the Web Management Interface Menu Layout 2-5 Configuring the Internet Connections 2-7 Automatically Detecting and Connecting 2-7 Setting the VPN Firewall's MAC Address 2-11 - Netgear SRX5308 | SRX5308 Reference Manual - Page 5
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Chapter 4 Firewall Protection About Firewall Protection 4-1 Administrator Tips ...4-2 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-3 Order of Precedence for Rules 4-10 Setting LAN WAN Rules - Netgear SRX5308 | SRX5308 Reference Manual - Page 6
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Testing the Connections and Viewing Status Information 5-16 Testing the VPN Connection 5-16 NETGEAR VPN Client Status and Log Information 5-17 Viewing the VPN Firewall IPsec VPN Connection Status 5-19 Viewing the VPN Firewall IPSec VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 7
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding New Network Resources 6-14 Editing Network Resources to Specify Addresses 6-15 Configuring User, Group, and Global Policies 6-17 Viewing Policies ...6-18 Adding a Policy ...6-19 Accessing the SSL Portal Login Screen 6-23 - Netgear SRX5308 | SRX5308 Reference Manual - Page 8
-Out Error Occurs 10-4 Troubleshooting the ISP Connection 10-5 Troubleshooting a TCP/IP Network Using the Ping Utility 10-6 Testing the LAN Path to Your VPN Firewall 10-7 Testing the Path from Your PC to a Remote Device 10-7 Restoring the Default Configuration and Password 10-8 Problems with - Netgear SRX5308 | SRX5308 Reference Manual - Page 9
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports What to Consider Before You Begin B-1 Cabling and Computer Hardware Requirements B-3 Computer Network Configuration - Netgear SRX5308 | SRX5308 Reference Manual - Page 10
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual DMZ to LAN Logs C-19 WAN to DMZ Logs C-19 Other Event Logs ...C-20 Session Limit Logs C-20 Source MAC Filter Logs C-20 Bandwidth Limit Logs C-20 DHCP Logs ...C-21 Appendix D Two-Factor Authentication Why Do I Need Two-Factor - Netgear SRX5308 | SRX5308 Reference Manual - Page 11
About This Manual The NETGEAR® ProSafe™ Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual describes how to install, configure, and troubleshoot a ProSafe Gigabit Quad WAN SSL VPN Firewall. The information in this manual is intended for readers with intermediate computer and networking - Netgear SRX5308 | SRX5308 Reference Manual - Page 12
these specifications: Product Version ProSafe Gigabit Quad WAN SSL VPN Firewall Manual Publication Date April 2010 For more information about network, Internet, firewall, and VPN technologies, click the links to the NETGEAR Website in Appendix E, "Related Documents." Note: Product updates are - Netgear SRX5308 | SRX5308 Reference Manual - Page 13
keywords. The SRX5308 provides advanced IPsec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds. The SRX5308 is a plug-and-play device that can be installed and configured within minutes - Netgear SRX5308 | SRX5308 Reference Manual - Page 14
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Key Features and Capabilities The SRX5308 provides the following key features and capabilities: • Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover protection of your Internet connection, providing - Netgear SRX5308 | SRX5308 Reference Manual - Page 15
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Quad-WAN Ports for Increased Reliability and Outbound Load Balancing The SRX5308 provides four broadband WAN ports. These WAN ports allow you to connect additional broadband Internet lines that can be configured to: • Load-balance - Netgear SRX5308 | SRX5308 Reference Manual - Page 16
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following - Netgear SRX5308 | SRX5308 Reference Manual - Page 17
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Autosensing Ethernet Connections with Auto Uplink With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the SRX5308 can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet - Netgear SRX5308 | SRX5308 Reference Manual - Page 18
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Easy Installation and Management You can install, configure, and operate the SRX5308 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management. - Netgear SRX5308 | SRX5308 Reference Manual - Page 19
rack-mounting kit • ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide • Resource CD, including: - Application Notes and other helpful information - ProSafe VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the - Netgear SRX5308 | SRX5308 Reference Manual - Page 20
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in Table 1-1. Power LED DMZ LED Left LAN LEDs Left - Netgear SRX5308 | SRX5308 Reference Manual - Page 21
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Right LED DMZ LED On (Green) On (Amber) Off On (Green) Off WAN Ports Left LED On (Green) Blink (Green) Off Right LED On (Green) On (Amber) Off Internet LED On (Green) - Netgear SRX5308 | SRX5308 Reference Manual - Page 22
(CLI) using the console port, see "Using the Command-Line Interface" on page 8-14. 3. Factory default reset button. Using a sharp object, press and hold this button for about eight seconds until the front panel Test light flashes to reset the SRX5308 to factory default settings. All configuration - Netgear SRX5308 | SRX5308 Reference Manual - Page 23
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Choosing a Location for the SRX5308 The SRX5308 is suitable for use in an the SRX5308, see Appendix A, "Default Settings and Technical Specifications." Using the Rack-Mounting Kit Use the mounting kit for the SRX5308 to install - Netgear SRX5308 | SRX5308 Reference Manual - Page 24
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1-12 v1.0, April 201012 Introduction - Netgear SRX5308 | SRX5308 Reference Manual - Page 25
the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at http://kbserver.netgear.com/products/SRX5308.asp. 2. Log in to the VPN firewall. After logging in, you are ready to set up and configure your VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 26
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Configure the Internet connections to your ISPs. During this phase, you connect to your ISPs. You can also program the WAN traffic meters at this time if desired. See "Configuring the Internet Connections" on page 2-7. 4. - Netgear SRX5308 | SRX5308 Reference Manual - Page 27
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Logging In to the VPN Firewall To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall via DHCP. For instructions on how to configure your computer for DHCP, - Netgear SRX5308 | SRX5308 Reference Manual - Page 28
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The first time that you remotely connect to the VPN firewall with a browser via an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL - Netgear SRX5308 | SRX5308 Reference Manual - Page 29
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: After 10 minutes of inactivity (the default login time-out), you are automatically logged out. Understanding the Web Management Interface Menu Layout Figure 2-3 shows the menu at the top of the Web Management Interface. 3rd - Netgear SRX5308 | SRX5308 Reference Manual - Page 30
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. Figure 2-4 shows an example. Figure 2-4 Any - Netgear SRX5308 | SRX5308 Reference Manual - Page 31
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Down. Move down the selected entry in the table. • Apply. Apply the selected entry. Almost all screens and sections of screens have an accompanying help screen. To open the help screen, click the Help icon ( ). Configuring the - Netgear SRX5308 | SRX5308 Reference Manual - Page 32
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IP address of the WAN interface. • Failure Detection - Netgear SRX5308 | SRX5308 Reference Manual - Page 33
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-7 3. Click the Auto Detect button at the bottom of the screen. The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. Connecting the VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 34
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The auto detect process returns one of the following results: • If the auto-detect process is successful, a status bar at the top of the screen displays the results (for example, "DHCP service detected"). • If the auto detect - Netgear SRX5308 | SRX5308 Reference Manual - Page 35
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to "Manually Configuring the Internet Connection" on this page or see "Troubleshooting the ISP Connection" on page - Netgear SRX5308 | SRX5308 Reference Manual - Page 36
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Edit button in the Action column of the WAN interface for which you want to automatically configure the connection to the Internet. The WAN ISP Settings screen displays (see Figure 2-7 on page 2-9, which shows the WAN1 - Netgear SRX5308 | SRX5308 Reference Manual - Page 37
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in Table 2-2. Table 2-2. PPTP and PPPoE Settings Setting Description (or Subfield and Description) Austria (PPTP) If your - Netgear SRX5308 | SRX5308 Reference Manual - Page 38
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 7. In the Internet (IP) Address section of the screen, configure the IP address settings as explained in Table 2-3. Click the Current IP Address link to see the currently assigned IP address. Figure 2-11 Table 2-3. Internet (IP) - Netgear SRX5308 | SRX5308 Reference Manual - Page 39
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 8. In the Domain Name Server (DNS) Servers section of the screen, specify the DNS settings as explained in Table 2-4. Figure 2-12 Table 2-4. DNS Server Settings Setting Get Automatically from ISP Use These DNS Servers Description - Netgear SRX5308 | SRX5308 Reference Manual - Page 40
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the WAN Mode The VPN firewall can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). If you do not select load - Netgear SRX5308 | SRX5308 Reference Manual - Page 41
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note the following about NAT: • The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. • If you have only a single public Internet IP address, you must use NAT (the default setting). • If your - Netgear SRX5308 | SRX5308 Reference Manual - Page 42
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the - Netgear SRX5308 | SRX5308 Reference Manual - Page 43
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-13 3. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to - Netgear SRX5308 | SRX5308 Reference Manual - Page 44
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the Failure Detection Method To configure failure detection method: 1. Select Network Configuration > WAN Settings from the menu. The WAN screen displays (see Figure 2-6 on page 2-7). 2. Click the Edit button in the - Netgear SRX5308 | SRX5308 Reference Manual - Page 45
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-5. Failure Detection Method Settings (continued) Setting Ping Retry Interval is Failover after Description (or Subfield and Description) Pings are sent to a server with a public IP address. This server should not reject - Netgear SRX5308 | SRX5308 Reference Manual - Page 46
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Load Balancing To configure load balancing: 1. Select Network Configuration > WAN Settings from the menu. 2. Click the WAN Mode tab. The WAN Mode screen displays. Figure 2-15 3. In the Load Balancing Settings section of - Netgear SRX5308 | SRX5308 Reference Manual - Page 47
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Configuration > Protocol Binding from the menu. 2. Select the Load Balancing radio button. The Protocol Bindings - Netgear SRX5308 | SRX5308 Reference Manual - Page 48
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-17 4. Configure the protocol binding settings as explained in Table 2-6. Table 2-6. Protocol Binding Settings Setting Description (or Subfield and Description) Service From the drop-down list, select a service or - Netgear SRX5308 | SRX5308 Reference Manual - Page 49
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-6. Protocol Binding Settings (continued) Setting Destination Network Description (or Subfield and Description) The destination network settings determine which Internet locations (based on their IP address) are covered by - Netgear SRX5308 | SRX5308 Reference Manual - Page 50
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For more information about firewall rules, see "Using Rules to Block or Allow Specific Kinds of Traffic" on page 4-2). Note: It is important that you ensure that any secondary WAN addresses are different from the primary WAN, LAN, and DMZ IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 51
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-18 The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface. 4. In the Add WAN Secondary Addresses section of the screen, enter the following settings: • IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 52
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned - Netgear SRX5308 | SRX5308 Reference Manual - Page 53
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-19 Connecting the VPN Firewall to the Internet v1.0, April 2010 2-29 - Netgear SRX5308 | SRX5308 Reference Manual - Page 54
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Information option arrow in the upper right corner of a DNS screen for registration information. Figure 2-20: 4. Access the website of the DDNS service provider and register for an account (for example, for DynDNS.org, - Netgear SRX5308 | SRX5308 Reference Manual - Page 55
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. Click Apply to save your configuration. Configuring Advanced WAN Options The advanced options include configuration of the maximum transmission unit (MTU) size, port speed, VPN firewall's MAC address, and setting a rate limit on - Netgear SRX5308 | SRX5308 Reference Manual - Page 56
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-21 4. Enter the settings as explained in Table 2-8. Table 2-8. Advanced WAN Settings Setting Description (or Subfield and Description) MTU Size Make one of the following selections: Default Select the Default radio - Netgear SRX5308 | SRX5308 Reference Manual - Page 57
VPN firewall can automatically determine the connection speed of the WAN port of the device (modem or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed. If you know the Ethernet port speed of the modem or router - Netgear SRX5308 | SRX5308 Reference Manual - Page 58
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-8. Advanced WAN Settings (continued) Setting Description (or Subfield and Description) Upload/Download Settings These settings rate-limit the traffic that is being forwarded by the VPN firewall. WAN Connection Type WAN - Netgear SRX5308 | SRX5308 Reference Manual - Page 59
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual What to Do Next The following sections describe important tasks that you might want to address before you deploy the VPN firewall in your network: • "Configuring VPN Authentication Domains, Groups, and Users" on page 7-1. • "Managing - Netgear SRX5308 | SRX5308 Reference Manual - Page 60
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2-36 Connecting the VPN Firewall to the Internet v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 61
your VPN firewall. This chapter contains the following sections: • "Managing Virtual LANs and DHCP Options" on this page • "Configuring Multi-Home LAN IP Addresses on the Default VLAN" on page 3-12 • "Managing Groups and Hosts (LAN Groups)" on page 3-14 • "Configuring and Enabling the DMZ Port" on - Netgear SRX5308 | SRX5308 Reference Manual - Page 62
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VLANs have a number of advantages: • They make it easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group's traffic is - Netgear SRX5308 | SRX5308 Reference Manual - Page 63
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets. Untagged packets that enter these LAN ports are - Netgear SRX5308 | SRX5308 Reference Manual - Page 64
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For each VLAN profile, the following fields are displayed in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: - Green circle. The VLAN - Netgear SRX5308 | SRX5308 Reference Manual - Page 65
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The VPN firewall delivers the following settings to any LAN device that requests DHCP: • An IP address from the range that you have defined • Subnet mask • Gateway IP address (the VPN firewall's LAN IP address) • Primary DNS server ( - Netgear SRX5308 | SRX5308 Reference Manual - Page 66
each VLAN on the VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing. To add or edit a VLAN profile: 1. Select Network Configuration > LAN Settings from the menu. The LAN submenu tabs display, with the LAN Setup screen - Netgear SRX5308 | SRX5308 Reference Manual - Page 67
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table. The Edit VLAN Profile screen displays. - Netgear SRX5308 | SRX5308 Reference Manual - Page 68
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 3-1. Table 3-1. VLAN Profile Settings Setting Description (or Subfield and Description) VLAN Profile Profile Name VLAN ID Port Membership Port 1 Port 2 Port 3 Port 4 / DMZ IP Setup IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 69
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-1. VLAN Profile Settings (continued) Setting Enable DHCP Server DHCP Relay Description (or Subfield and Description) Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host - Netgear SRX5308 | SRX5308 Reference Manual - Page 70
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-1. VLAN Profile Settings (continued) Setting Description (or Subfield and Description) Enable LDAP information Select the Enable LDAP information check box to enable the DHCP server to provide Lightweight Directory - Netgear SRX5308 | SRX5308 Reference Manual - Page 71
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to - Netgear SRX5308 | SRX5308 Reference Manual - Page 72
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Select the Advanced option arrow at the top right of the LAN Setup screen. The LAN Advanced screen displays. Figure 3-4 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you - Netgear SRX5308 | SRX5308 Reference Manual - Page 73
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual It is important that you ensure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall.The following is an example of - Netgear SRX5308 | SRX5308 Reference Manual - Page 74
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Repeat step 3 and step 4 for each secondary IP address that you want to add to the Available Secondary LAN IPs table. Note: Secondary IP addresses cannot be configured on the DHCP server. The hosts on the secondary subnets must be - Netgear SRX5308 | SRX5308 Reference Manual - Page 75
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Some advantages of the network database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the name of the desired PC or device. • There is no need to reserve an IP address for - Netgear SRX5308 | SRX5308 Reference Manual - Page 76
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 3-6 The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields are displayed: • Check box. Allows you to select the PC or - Netgear SRX5308 | SRX5308 Reference Manual - Page 77
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding PCs or Devices to the Network Database To add PCs or devices manually to the network database: 1. In the Add Known PCs and Devices section of the LAN Groups screen (see Figure 3-6 on page 3-16), enter the settings as - Netgear SRX5308 | SRX5308 Reference Manual - Page 78
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Editing PCs or Devices in the Network Database To edit PCs or devices manually in the network database: 1. In the Known PCs and Devices table of the LAN Groups screen (see Figure 3-6 on page 3-16), click the Edit table - Netgear SRX5308 | SRX5308 Reference Manual - Page 79
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Edit Group Names option arrow at the top right of the LAN Groups screen. The Network Database Group Names screen displays. (Figure 3-8 shows - Netgear SRX5308 | SRX5308 Reference Manual - Page 80
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To reserve an IP address, select Reserved (DHCP Client) from the IP Address Type drop-down list on the LAN Groups screen as described in "Adding PCs or Devices to the Network Database" on page 3-17 or on the Edit Groups and - Netgear SRX5308 | SRX5308 Reference Manual - Page 81
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To enable and configure the DMZ port: 1. Select Network Configuration > DMZ Setup from the menu. The DMZ Setup screen displays. Figure 3-9 2. Enter the settings as explained in Table 3-3 on page 3-22. LAN Configuration v1.0, April - Netgear SRX5308 | SRX5308 Reference Manual - Page 82
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-3. DMZ Setup Settings Setting Description (or Subfield and Description) DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. - Netgear SRX5308 | SRX5308 Reference Manual - Page 83
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-3. DMZ Setup Settings (continued) Setting Description (or Subfield and Description) Enable DHCP Server Primary DNS (continued) Server This is optional. If an IP address is specified, the VPN firewall provides this - Netgear SRX5308 | SRX5308 Reference Manual - Page 84
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-3. DMZ Setup Settings (continued) Setting DNS Proxy Enable DNS Proxy Description (or Subfield and Description) This is optional. Select the Enable DNS Proxy radio button to enable the VPN firewall to provide a LAN IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 85
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Static Routes To add a static route to the Static Route table: 1. Select Network Configuration > Routing from the menu. The Routing screen displays. Figure 3-10 For information about the fields of the Static Routes table, - Netgear SRX5308 | SRX5308 Reference Manual - Page 86
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 3-4. Table 3-4. Static Route Settings Setting Description (or Subfield and Description) Route Name The route name for the static route (for purposes of identification and management). - Netgear SRX5308 | SRX5308 Reference Manual - Page 87
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information - Netgear SRX5308 | SRX5308 Reference Manual - Page 88
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-5. RIP Configuration Settings Setting Description (or Subfield and Description) RIP RIP Direction RIP Version From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP - Netgear SRX5308 | SRX5308 Reference Manual - Page 89
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-5. RIP Configuration Settings (continued) Setting Authentication for RIP-2B/2M required? (continued) Description (or Subfield and Description) Not Valid Before The beginning of the lifetime of the MD5 key. Enter - Netgear SRX5308 | SRX5308 Reference Manual - Page 90
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3-30 v1.0, April 2010 LAN Configuration - Netgear SRX5308 | SRX5308 Reference Manual - Page 91
of Traffic" on page 4-2 • "Configuring Other Firewall Features" on page 4-26 • "Creating Services, QoS Profiles, and Bandwidth Profiles" on page 4-31 • "Setting a Schedule to Block or Allow Specific Traffic" on page 4-40 • "Content Filtering (Blocking Internet Sites)" on page 4-41 • "Enabling Source - Netgear SRX5308 | SRX5308 Reference Manual - Page 92
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Administrator Tips Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see "Configuring VPN Authentication Domains, Groups, and - Netgear SRX5308 | SRX5308 Reference Manual - Page 93
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The firewall rules for blocking and allowing traffic on the VPN firewall can be applied to a combination of LAN-WAN traffic, DMZ-WAN traffic, and LAN-DMZ traffic. Table 4-1. Number of Supported Firewall Rule Configurations Traffic - Netgear SRX5308 | SRX5308 Reference Manual - Page 94
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Outbound Rules (Service Blocking) The VPN firewall allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. Note: See "Enabling Source MAC Filtering" on page - Netgear SRX5308 | SRX5308 Reference Manual - Page 95
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Outbound Rules Overview (continued) Setting Select Schedule LAN Users WAN Users DMZ Users QoS Profile Description (or Subfield and Description) The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is - Netgear SRX5308 | SRX5308 Reference Manual - Page 96
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Outbound Rules Overview (continued) Setting Bandwidth Profile Log NAT IP Description (or Subfield and Description) Bandwidth limiting determines the way in which the data is sent to and from your host. The purpose of - Netgear SRX5308 | SRX5308 Reference Manual - Page 97
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address might change periodically as the DHCP lease expires. Consider using Dyamic DNS so that external users can always find your network (see - Netgear SRX5308 | SRX5308 Reference Manual - Page 98
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • "Setting LAN DMZ Rules" on page 4-18. Table 4-3. Inbound Rules Overview Setting Description (or Subfield and Description) Service The service or application to be covered by this rule. If the service or application does not - Netgear SRX5308 | SRX5308 Reference Manual - Page 99
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-3. Inbound Rules Overview (continued) Setting WAN Users DMZ Users QoS Profile Log Bandwidth Profile Description (or Subfield and Description) The settings that determine which Internet locations are covered by the rule, - Netgear SRX5308 | SRX5308 Reference Manual - Page 100
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual list, as shown in the LAN WAN Rules screen example in Figure 4-1 on page 4-10. For any traffic attempting to pass through the firewall rules at the top (those with the most specific services or addresses). The Up and Down table buttons - Netgear SRX5308 | SRX5308 Reference Manual - Page 101
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound). - Netgear SRX5308 | SRX5308 Reference Manual - Page 102
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To make changes to an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the definition of an existing rule. - Netgear SRX5308 | SRX5308 Reference Manual - Page 103
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To create a new outbound LAN WAN service rule: 1. In the LAN WAN Rules screen, click the Add table button under the Outbound Services table. The Add LAN WAN Outbound Service screen displays (Figure 4-3 shows an example). Figure 4-3 - Netgear SRX5308 | SRX5308 Reference Manual - Page 104
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-4 2. Enter the settings as explained in Table 4-3 on page 4-8. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Setting DMZ WAN Rules The firewall rules for traffic between the - Netgear SRX5308 | SRX5308 Reference Manual - Page 105
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To access the DMZ WAN Rules screen: 1. Select Security > Firewall from the menu. The Firewall submenu tabs display. 2. Click the DMZ WAN Rules submenu tab. The DMZ WAN Rules screen displays. (Figure 4-5 shows a rule in the Outbound Services - Netgear SRX5308 | SRX5308 Reference Manual - Page 106
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click one of the following table buttons: • Disable. Disables the rule or rules. The "!" status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. (By default, when a rule - Netgear SRX5308 | SRX5308 Reference Manual - Page 107
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not - Netgear SRX5308 | SRX5308 Reference Manual - Page 108
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to allow all traffic between the local LAN and - Netgear SRX5308 | SRX5308 Reference Manual - Page 109
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete or disable one or more rules: 1. Select the check box to the left of the rule that you want to delete or disable, - Netgear SRX5308 | SRX5308 Reference Manual - Page 110
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Enter the settings as explained in Table 4-2 on page 4-4. 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. LAN DMZ Inbound Services Rules The Inbound Services table lists - Netgear SRX5308 | SRX5308 Reference Manual - Page 111
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 112
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-12 LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure - Netgear SRX5308 | SRX5308 Reference Manual - Page 113
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 114
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. From the Service drop-down list, select HTTP for a Web server. 5. From the Action drop-down list, select ALLOW Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC (192.168.1.2 in this - Netgear SRX5308 | SRX5308 Reference Manual - Page 115
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1. Select Any and sites. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 116
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-15 Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for Session Initiation Protocol (SIP) sessions. Attack Checks The Attack Checks - Netgear SRX5308 | SRX5308 Reference Manual - Page 117
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-16 3. Enter the settings as explained in Table 4-4. Table 4-4. Attack Checks Settings Setting Description (or Subfield and Description) WAN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping - Netgear SRX5308 | SRX5308 Reference Manual - Page 118
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-4. Attack Checks Settings (continued) Setting Description (or Subfield and Description) LAN Security Checks. Block UDP flood Disable Ping Reply on LAN Ports Select the Block UDP flood check box to prevent the VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 119
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the VPN firewall. The session limits feature is disabled by default. To - Netgear SRX5308 | SRX5308 Reference Manual - Page 120
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-5. Session Limit Settings (continued) Setting Description (or Subfield and Description) User Limit Enter a number to indicate the user limit. If the User Limit Parameter is set to Percentage of Max Sessions, the number - Netgear SRX5308 | SRX5308 Reference Manual - Page 121
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-18 3. Select the Enable SIP ALG check box. 4. Click Apply to save your settings. Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as - Netgear SRX5308 | SRX5308 Reference Manual - Page 122
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players' moves. When a computer on the Internet sends a request for service to a server computer, the - Netgear SRX5308 | SRX5308 Reference Manual - Page 123
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Add Customer Service section of the screen, enter the settings as explained in Table 4-6. Table 4-6. Services Settings Setting Name Type ICMP Type Start Port Finish Port Description (or Subfield and Description) A - Netgear SRX5308 | SRX5308 Reference Manual - Page 124
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click Apply to save your changes. The modified service is displayed in the Custom Services Table. Creating Quality of Service (QoS) Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when - Netgear SRX5308 | SRX5308 Reference Manual - Page 125
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To create a QoS profile: 1. Select Security > Services from the menu. The Services submenu tabs display, with the Services screen in view. 2. Click the QoS Profiles submenu tab. The QoS Profiles screen displays. Figure 4-21 shows - Netgear SRX5308 | SRX5308 Reference Manual - Page 126
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: This document assumes that you are familiar with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values. Table 4-7. QoS Profile Settings Setting Description (or Subfield and Description) Profile Name - Netgear SRX5308 | SRX5308 Reference Manual - Page 127
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Modify the settings that you wish to change (see Table 4-7 on page 4-36). 3. Click Apply to save your changes. The modified QoS profile is displayed in the List of QoS Profiles table. Creating Bandwidth Profiles Bandwidth profiles - Netgear SRX5308 | SRX5308 Reference Manual - Page 128
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-23 The screen displays the List of Bandwidth Profiles table with the user-defined profiles. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays. Figure 4-24 - Netgear SRX5308 | SRX5308 Reference Manual - Page 129
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 4-8. Table 4-8. Bandwidth Profile Settings Setting Description (or Subfield and Description) Profile Name A descriptive name of the bandwidth profile for identification and management - Netgear SRX5308 | SRX5308 Reference Manual - Page 130
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a bandwidth profile: 1. In the List of Bandwidth Profiles table, click the Edit table button to the right of the bandwidth profile that you want to edit. The Edit Bandwidth Profile screen displays. 2. Modify the settings that - Netgear SRX5308 | SRX5308 Reference Manual - Page 131
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is active only on specific days. To the right of the radio buttons - Netgear SRX5308 | SRX5308 Reference Manual - Page 132
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual - ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX - Netgear SRX5308 | SRX5308 Reference Manual - Page 133
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-26 Firewall Protection v1.0, April 2010 4-43 - Netgear SRX5308 | SRX5308 Reference Manual - Page 134
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Enter the settings as explained in Table 4-9. Table 4-9. Content Filtering Settings Setting Description (or Subfield and Description) Web Components Select the check boxes of any \Web components that you wish to block. The Web - Netgear SRX5308 | SRX5308 Reference Manual - Page 135
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed. When the source MAC address filter is enabled, depending on the selected policy, traffic is either permitted or blocked - Netgear SRX5308 | SRX5308 Reference Manual - Page 136
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. In the same section, below the radio buttons, select one of the following options from the dropdown list: • Block. Traffic coming from all addresses in the MAC Addresses table is blocked. • Permit. Traffic coming from all - Netgear SRX5308 | SRX5308 Reference Manual - Page 137
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual If all of the preceding host entry examples are added to the IP/MAC Bindings table, the following scenarios indicate the possible outcome. • Host1. Matching IP address and MAC address in the IP/MAC Bindings table. • Host2. Matching - Netgear SRX5308 | SRX5308 Reference Manual - Page 138
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 4-10. Table 4-10. IP/MAC Binding Settings Setting Description (or Subfield and Description) Email IP/MAC Violations Do you want to enable E-mail Logs for IP/MAC Binding Violation? - Netgear SRX5308 | SRX5308 Reference Manual - Page 139
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Once configured, port triggering operates as follows: 1. A PC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table. 2. The VPN firewall records this connection, opens the additional - Netgear SRX5308 | SRX5308 Reference Manual - Page 140
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-29 2. Below Add Port Triggering Rule, enter the settings as explained in Table 4-11. Table 4-11. Port Triggering Settings Setting Description (or Subfield and Description) Name A descriptive name of the rule for - Netgear SRX5308 | SRX5308 Reference Manual - Page 141
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a port triggering rule (for example, to enable the rule): 1. In the Port Triggering Rules table, click the Edit table button to the right of the port triggering rule that you want to edit. The Edit Port Triggering Rule screen - Netgear SRX5308 | SRX5308 Reference Manual - Page 142
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-31 2. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.) To disable the feature, select No. 3. Configure the following fields: - Advertisement Period. Enter the period in minutes - Netgear SRX5308 | SRX5308 Reference Manual - Page 143
37 • "Assigning IP Addresses to Remote Users (Mode Config)" on page 5-42 • "Configuring Keepalives and Dead Peer Detection" on page 5-55 • "Configuring NetBIOS Bridging with IPsec VPN" on page 5-59 Considerations for Multi-WAN Port Systems If two WAN ports of the VPN firewall are configured, you can - Netgear SRX5308 | SRX5308 Reference Manual - Page 144
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following diagrams and table show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN VPN Firewall Rest of VPN Firewall Functions VPN Firewall WAN Port Functions VPN Firewall - Netgear SRX5308 | SRX5308 Reference Manual - Page 145
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Using the IPsec VPN Wizard for Client and Gateway Configurations You can use the IPsec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client - Netgear SRX5308 | SRX5308 Reference Manual - Page 146
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-4 To view the wizard default settings, click the VPN Wizard Default Values option arrow at the top right of the screen. A popup window appears (see Figure 5-5 on page 5-5) displaying the wizard default values. After you - Netgear SRX5308 | SRX5308 Reference Manual - Page 147
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-5 3. Select the radio buttons and complete the fields and as explained Table 5-2. Table 5-2. (IPsec) VPN Wizard Settings for a Gateway-to-Gateway Tunnel Setting Description (or Subfield and Description) About VPN Wizard - Netgear SRX5308 | SRX5308 Reference Manual - Page 148
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-2. (IPsec) VPN Wizard Settings for a Gateway-to-Gateway Tunnel (continued) Setting Description (or Subfield and Description) Enable RollOver? If you have configured the VPN firewall to function in WAN autorollover mode ( - Netgear SRX5308 | SRX5308 Reference Manual - Page 149
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen. By default, the VPN policy is enabled. Figure 5-6 5. Configure a VPN policy on the remote gateway - Netgear SRX5308 | SRX5308 Reference Manual - Page 150
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure - Netgear SRX5308 | SRX5308 Reference Manual - Page 151
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-9 To display the wizard default settings, click the VPN Wizard Default Values option arrow at the top right of the screen. A popup window appears (see Figure 5-5 on page 5-5), displaying the wizard default values. After you - Netgear SRX5308 | SRX5308 Reference Manual - Page 152
WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-3. (IPsec) VPN Wizard Settings for a Client-to-Gateway Tunnel Setting Description (or Subfield and Description) About VPN Wizard This VPN tunnel will connect to the following peers: Select the VPN Client radio button. The default remote - Netgear SRX5308 | SRX5308 Reference Manual - Page 153
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual . 4. Click Apply to save your settings. The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen. By default, the VPN policy is enabled. Figure 5-10 Note: When using FQDNs, if the dynamic DNS service - Netgear SRX5308 | SRX5308 Reference Manual - Page 154
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-11 2. In the upper left of the Policy Editor window, click the New Connection icon (the first icon on the left) to open a new connection. Give the new connection a name; in this example, we are using MainOffice. Figure 5-12 - Netgear SRX5308 | SRX5308 Reference Manual - Page 155
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 5-4. Table 5-4. Security Policy Editor: Remote Party Settings Setting Description (or Subfield and Description) Connection Security Select the Secure radio button. If you want to - Netgear SRX5308 | SRX5308 Reference Manual - Page 156
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5. In the left frame, click My Identity. The screen adjusts. Figure 5-13 6. Enter the settings as explained in Table 5-5. Table 5-5. Security Policy Editor: My Identity Settings Setting Select Certificate Description (or Subfield - Netgear SRX5308 | SRX5308 Reference Manual - Page 157
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-5. Security Policy Editor: My Identity Settings (continued) Setting ID Type Secure Interface Configuration Internet Interface Description (or Subfield and Description) From the drop-down list, select Domain Name. Then, - Netgear SRX5308 | SRX5308 Reference Manual - Page 158
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 9. Enter the settings as explained in Table 5-6. Table 5-6. Security Policy Editor: Security Policy Settings Setting Description (or Subfield and Description) Select Phase 1 Negotiation Select the Aggressive Mode radio button. - Netgear SRX5308 | SRX5308 Reference Manual - Page 159
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-15 In the example that is shown in Figure 5-15, you should receive the message "Successfully connected to My Connections\UTM_SJ" within 30 seconds. The VPN client icon in the system tray should say On: NETGEAR VPN Client - Netgear SRX5308 | SRX5308 Reference Manual - Page 160
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Right-click the VPN client icon in the system tray and select Log Viewer. The Log Viewer screen displays details about the active connection or troubleshooting information that might help you to determine why you cannot get an - Netgear SRX5308 | SRX5308 Reference Manual - Page 161
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the VPN Firewall IPsec VPN Connection Status To review the status of current IPsec VPN tunnels: Select VPN > Connection Status from the menu. The VPN Connection Status submenu tabs display, with the IPSec VPN Connection - Netgear SRX5308 | SRX5308 Reference Manual - Page 162
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the VPN Firewall IPSec VPN Logs To view the IPsec VPN logs: Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. Figure 5-19 Click Refresh Log to view the - Netgear SRX5308 | SRX5308 Reference Manual - Page 163
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring IKE Policies The Internet Key Exchange (IKE) protocol performs negotiations between the two VPN gateways, and provides automatic management of the keys that are used for IPsec connections. It is important to remember that - Netgear SRX5308 | SRX5308 Reference Manual - Page 164
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (Figure 5-20 shows some examples). Figure 5-20 Each policy - Netgear SRX5308 | SRX5308 Reference Manual - Page 165
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete one or more IKE polices: To manually add an IKE policy: 1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (see Figure 5-20 on page 5-22). 2. Under the List of - Netgear SRX5308 | SRX5308 Reference Manual - Page 166
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual . Figure 5-21 3. Complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained Table 5-10 on page 5-25. 5-24 Virtual Private Networking Using IPsec Connections v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 167
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings Item Description (or Subfield and Description) Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a - Netgear SRX5308 | SRX5308 Reference Manual - Page 168
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Local Select Local Gateway Identifier Type From the drop-down list, select one of the four WAN interfaces to function as the local - Netgear SRX5308 | SRX5308 Reference Manual - Page 169
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Authentication Algorithm From the drop-down list, select one of the following two algorithms to use in the VPN header for the - Netgear SRX5308 | SRX5308 Reference Manual - Page 170
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Note: For more information about XAUTH and its authentication modes, see "Configuring - Netgear SRX5308 | SRX5308 Reference Manual - Page 171
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Modify the settings that you wish to change (see Table 5-10 on page 5-25). 4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Configuring VPN Policies You can create two - Netgear SRX5308 | SRX5308 Reference Manual - Page 172
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the VPN Policies submenu tab. The VPN . List of VPN Policies Information Item ! (Status) Name Type Local Remote Description default IP address when you are using the VPN Wizard). IP address or address range of the remote - Netgear SRX5308 | SRX5308 Reference Manual - Page 173
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-11. List of VPN Policies Information (continued) Item Auth Encr Description (or Subfield and Description) The authentication algorithm that is used for the VPN tunnel. This setting must match the setting on the remote - Netgear SRX5308 | SRX5308 Reference Manual - Page 174
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-23 5-32 Virtual Private Networking Using IPsec Connections v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 175
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Complete the fields, select the radio buttons and check boxes, and make your selections from the drop-down lists as explained Table 5-12. Table 5-12. Add VPN Policy Settings Item General Policy Name Policy Type Select Local - Netgear SRX5308 | SRX5308 Reference Manual - Page 176
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Enable Keepalive Select a radio button to specify if keepalive is enabled: • Yes. This feature is enabled. Periodically, the VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 177
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Encryption Algorithm Key-In Key-Out SPI-Outgoing Integrity Algorithm Key-In Key-Out Description (or Subfield and Description) From the drop-down list, select one of the - Netgear SRX5308 | SRX5308 Reference Manual - Page 178
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Auto Policy Parameters Note: These fields apply only when you select Auto Policy as the policy type. SA - Netgear SRX5308 | SRX5308 Reference Manual - Page 179
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a VPN policy: 1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (see Figure 5-20 on page 5-22). 2. Click the VPN Policies submenu tab. The VPN Policies screen - Netgear SRX5308 | SRX5308 Reference Manual - Page 180
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the User Database to be authenticated against XAUTH, or you must enable a - Netgear SRX5308 | SRX5308 Reference Manual - Page 181
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-13. Extended Authentication Settings (continued) Item Username Password Description (or Subfield and Description) The user name for XAUTH. The password for XAUTH. 4. Click Apply to save your settings. User Database Configuration - Netgear SRX5308 | SRX5308 Reference Manual - Page 182
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the RADIUS Client submenu tab. The RADIUS Client screen displays. Figure 5-24 3. Complete the fields and select the radio buttons as explained Table 5-14. Table 5-14. RADIUS Client Settings Item Description (or Subfield - Netgear SRX5308 | SRX5308 Reference Manual - Page 183
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-14. RADIUS Client Settings ( configure the backup RADIUS server, and then enter the settings for the three fields to the right. The default setting is that the No radio button is selected. Backup Server IP Address The IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 184
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Assigning IP Addresses to Remote Users (Mode Config) To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode Config feature to assign IP addresses to remote users, including a network access IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 185
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Mode Config submenu tab. 185.210.99), and a third pool (172.210.220.1 through 172.210.220.99). 3. Under the List of Mode Config Records table, click the Add table button. The Add Mode Config Record screen displays (see - Netgear SRX5308 | SRX5308 Reference Manual - Page 186
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual . Figure 5-26 4. Complete the fields, select the check box, and make your selections from the drop-down lists as explained Table 5-15. Table 5-15. Add Mode Config Record Settings Item Client Pool Record Name Description (or - Netgear SRX5308 | SRX5308 Reference Manual - Page 187
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-15. Add Mode Config Record Settings (continued) Item Description (or Subfield and Description) First Pool Second Pool Third Pool WINS Server DNS Server Assign at least one range of IP pool addresses in the First Pool - Netgear SRX5308 | SRX5308 Reference Manual - Page 188
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-15. Add Mode Config Record Settings (continued) Item Integrity Algorithm Local IP Address Local Subnet Mask Description (or Subfield and Description) From the drop-down list, select one of the following two algorithms to - Netgear SRX5308 | SRX5308 Reference Manual - Page 189
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-27 8. On the Add IKE Policy screen, complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained Table 5-16 on page 5-48. Virtual Private Networking Using IPsec Connections - Netgear SRX5308 | SRX5308 Reference Manual - Page 190
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The settings that are explained in Table 5-16 are specifically for a Mode Config configuration. Table 5-10 on page 5-25 explains the general IKE policy settings. Table 5-16. Add IKE Policy Settings for a Mode Config - Netgear SRX5308 | SRX5308 Reference Manual - Page 191
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-16. Add IKE Policy Settings for a Mode Config Configuration (continued) Item Description (or Subfield and Description) Remote Identifier Type From the drop-down list, select FQDN. Note: Mode Config requires that the - Netgear SRX5308 | SRX5308 Reference Manual - Page 192
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-16. Add IKE Policy Settings for a Mode Config Configuration (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Note: For more information about XAUTH and its - Netgear SRX5308 | SRX5308 Reference Manual - Page 193
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the upper left of the Policy Editor window, click the New Connection icon (the first icon on the left) to open a new connection. Give the new connection a name; in this example, we are using ModeConfigTest. Figure 5-28 3. - Netgear SRX5308 | SRX5308 Reference Manual - Page 194
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-17. Security Policy Editor: Remote Party, Mode Config Settings (continued) Setting Protocol Use ID Type Description (or Subfield and Description) From the drop-down list, select All. Select the Use check box. Then, from - Netgear SRX5308 | SRX5308 Reference Manual - Page 195
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5. In the left frame, click My Identity. The screen adjusts. Figure 5-29 6. Enter the settings as explained in Table 5-18. Table 5-18. Security Policy Editor: My Identity, Mode Config Settings Setting Select Certificate - Netgear SRX5308 | SRX5308 Reference Manual - Page 196
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-18. Security Policy Editor: My Identity, Mode Config Settings (continued) Setting ID Type Secure Interface Configuration Internet Interface Description (or Subfield and Description) From the drop-down list, select Domain - Netgear SRX5308 | SRX5308 Reference Manual - Page 197
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 9. Enter the settings as explained in Table 5-19. Table 5-19. Security Policy Editor: Security Policy, Mode Config Settings Setting Description (or Subfield and Description) Select Phase 1 Negotiation Select the Aggressive Mode - Netgear SRX5308 | SRX5308 Reference Manual - Page 198
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Keepalives The keepalive feature maintains the IPsec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keepalive feature on a configured VPN policy: 1. Select - Netgear SRX5308 | SRX5308 Reference Manual - Page 199
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-20. Keepalive Settings Item Description (or Subfield and Description) General Enable Keepalive Select a radio button to specify if keepalive is enabled: • Yes. This feature is enabled. Periodically, the VPN firewall - Netgear SRX5308 | SRX5308 Reference Manual - Page 200
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-32 3. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the fields as explained Table 5-21. Table 5-21. Dead Peer Detection Settings Item IKE SA Parameters Enable Dead Peer Detection - Netgear SRX5308 | SRX5308 Reference Manual - Page 201
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring NetBIOS Bridging with IPsec VPN Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic network services such as naming and neighborhood device discovery. Because VPN routers do not normally - Netgear SRX5308 | SRX5308 Reference Manual - Page 202
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5-60 Virtual Private Networking Using IPsec Connections v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 203
Understanding the SSL VPN Portal Options The VPN firewall's SSL VPN portal can provide two levels of SSL service to the remote user: • SSL VPN tunnel. The VPN firewall can provide the full network connectivity of a VPN tunnel using the remote user's browser instead of a traditional IPsec VPN client - Netgear SRX5308 | SRX5308 Reference Manual - Page 204
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The SSL capability of the user's browser provides authentication and encryption, establishing a secure connection to the VPN firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC to - Netgear SRX5308 | SRX5308 Reference Manual - Page 205
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The domain determines the authentication method that is used and the portal layout that is presented, which in turn determines the network resources to which - Netgear SRX5308 | SRX5308 Reference Manual - Page 206
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Creating the Portal Layout The Portal Layouts screen that you can access from the SSL VPN menu allows you to create a custom page that remote users see when they log in to the portal. Because the page is completely customizable, it - Netgear SRX5308 | SRX5308 Reference Manual - Page 207
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-1 3. Under the List of Layouts table, click the Add table button. The Add Portal Layout screen displays. (Figure 6-2 shows an example.) Figure 6-2 Virtual Private Networking Using SSL Connections 6-5 v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 208
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Complete the fields and select the check boxes as explained Table 6-1. Table 6-1. Add Portal Layout Settings Item Description (or Subfield and Description) Portal Layout and Theme Name Portal Layout Name A descriptive name - Netgear SRX5308 | SRX5308 Reference Manual - Page 209
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-1. Add Portal Layout Settings (continued) Item Description (or Subfield and Description) ActiveX web cache cleaner Select this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 210
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Applications for Port Forwarding Port forwarding provides access to specific defined network services. To define these services, you must specify the internal server addresses and port numbers for TCP applications that - Netgear SRX5308 | SRX5308 Reference Manual - Page 211
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. - Netgear SRX5308 | SRX5308 Reference Manual - Page 212
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding a New Host Name After you have configured port forwarding by defining the IP addresses of the internal servers and the port number for TCP applications that are available to remote users, you then can also specify host-name-to - Netgear SRX5308 | SRX5308 Reference Manual - Page 213
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following are some additional considerations: • So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with addresses on the local network, configure an IP address range that does not directly - Netgear SRX5308 | SRX5308 Reference Manual - Page 214
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-4 3. Select the check box and complete the fields as explained Table 6-3. Table 6-3. Client IP Address Range Settings Item Description (or Subfield and Description) Client IP Address Range Enable Full Tunnel Support - Netgear SRX5308 | SRX5308 Reference Manual - Page 215
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-3. Client IP Address Range Settings (continued) Item Description (or Subfield and Description) Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This is optional. - Netgear SRX5308 | SRX5308 Reference Manual - Page 216
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: If VPN tunnel clients are already connected, restart the VPN firewall. Restarting forces clients to reconnect and receive new addresses and routes. To change the specifications of an existing route and to delete an old route: - Netgear SRX5308 | SRX5308 Reference Manual - Page 217
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-5 3. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service - Netgear SRX5308 | SRX5308 Reference Manual - Page 218
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a resource: 1. Select VPN > SSL VPN from the menu. The SSL VPN submenu tabs display, with the Policies screen in view. 2. Click the Resources submenu tab. The Resources screen displays (see Figure 6-5 on page 6-15, which - Netgear SRX5308 | SRX5308 Reference Manual - Page 219
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-4. Add Resource Addresses Settings (continued) Item Description (or Subfield and Description) Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You must - Netgear SRX5308 | SRX5308 Reference Manual - Page 220
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that is - Netgear SRX5308 | SRX5308 Reference Manual - Page 221
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-7 2. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group's name from the dropdown list. • Click User to view - Netgear SRX5308 | SRX5308 Reference Manual - Page 222
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual . Figure 6-8 3. Select the radio buttons, complete the fields, and make your selection from the drop-down lists as explained Table 6-5. Table 6-5. Add SSL VPN Policy Settings Item Description (or Subfield and Description) Policy - Netgear SRX5308 | SRX5308 Reference Manual - Page 223
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-5. Add SSL VPN Policy Settings (continued) Item Description (or Subfield and Description) Add SSL VPN Policies Apply Policy For Select one of the following radio buttons to specify how the policy is applied: • Network - Netgear SRX5308 | SRX5308 Reference Manual - Page 224
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-5. Add SSL VPN Policy Settings (continued) Item Description (or Subfield and Description) Apply IP Network Policy For (continued) All Addresses Policy Name A descriptive name of the SSL VPN policy for identification - Netgear SRX5308 | SRX5308 Reference Manual - Page 225
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Note: If you have configured SSL VPN user policies, ensure that HTTPS remote - Netgear SRX5308 | SRX5308 Reference Manual - Page 226
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-9 4. Enter a user name and password that are associated with the SSL portal and the domain (see "Configuring VPN Authentication Domains, Groups, and Users" on page 7-1). 5. Click Login. The default User Portal screen - Netgear SRX5308 | SRX5308 Reference Manual - Page 227
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that - Netgear SRX5308 | SRX5308 Reference Manual - Page 228
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To view the SSL VPN Logs: 1. Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. 2. Click the SSL VPN Logs submenu tab. The SSL VPN Logs screen displays. Figure 6-12 - Netgear SRX5308 | SRX5308 Reference Manual - Page 229
(XAUTH) in your IPsec VPN configuration. Users connecting to the VPN firewall must be authenticated before being allowed to access the VPN firewall or the VPN-protected network. The login window that is presented to the user requires three items: a user name, a password, and a domain selection - Netgear SRX5308 | SRX5308 Reference Manual - Page 230
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Domains The domain determines the authentication method to be used for associated users. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources - Netgear SRX5308 | SRX5308 Reference Manual - Page 231
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-1. Authentication Protocols and Methods (continued) Authentication Protocol or Method Description (or Subfield and Description) LDAP A network-validated domain-based authentication method that functions with a - Netgear SRX5308 | SRX5308 Reference Manual - Page 232
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Under the List of Domains table, click the Add table button. The Add Domain screen displays. Figure 7-2 3. Enter the settings as explained in Table 7-2. Table 7-2. Add Domain Settings Setting Description (or Subfield and - Netgear SRX5308 | SRX5308 Reference Manual - Page 233
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-2. Add Domain Settings (continued) Setting Description (or Subfield and Description) Authentication Type (continued) • WIKID-CHAP. WiKID Systems CHAP. Complete the Authentication Server and Authentication Secret fields. - Netgear SRX5308 | SRX5308 Reference Manual - Page 234
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. If you change local authentication, click Apply in the Domain screen to save your settings. To delete one or more domains: 1. In the List of Domains table, select the check box to the left of the domain that you want to delete, or - Netgear SRX5308 | SRX5308 Reference Manual - Page 235
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-3 The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group. If the group - Netgear SRX5308 | SRX5308 Reference Manual - Page 236
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Add table button. The new group is added to the List of Groups table. To delete one or more groups: 1. In the List of Groups table, select the check box to the left of the group that you want to delete, or click the - Netgear SRX5308 | SRX5308 Reference Manual - Page 237
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring User Accounts When you create a user account, you must assign the user to a user group. When you create a group, you must assign the group to a - Netgear SRX5308 | SRX5308 Reference Manual - Page 238
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Group. change the VPN firewall configuration (that is, read/write access). • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 239
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-4. Add User Settings (continued) Setting Description (or Subfield and Description) Select Group The drop-down list shows the groups that are listed on the Group screen. From the drop-down list, select the group to which - Netgear SRX5308 | SRX5308 Reference Manual - Page 240
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-7 3. In the User Login Policies section of the screen, make the following selections: • To prohibit this user from logging in to the VPN firewall, select the Disable Login check box. • To prohibit this user from logging in - Netgear SRX5308 | SRX5308 Reference Manual - Page 241
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-8 4. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login - Netgear SRX5308 | SRX5308 Reference Manual - Page 242
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual the Delete table button. Configuring Login Restrictions Based on Web Browser List of Users table, click the Policies table button for the user for which you want to set login policies. The Policies submenu tabs display, with the Login - Netgear SRX5308 | SRX5308 Reference Manual - Page 243
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table. • Allow Login only from Defined - Netgear SRX5308 | SRX5308 Reference Manual - Page 244
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings. The Edit User screen displays. Figure 7-10 3. Enter the settings as explained in Table 7-6. - Netgear SRX5308 | SRX5308 Reference Manual - Page 245
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-6. Edit User Settings (continued) Setting Idle Timeout Description (or Subfield and Description) The period after which an idle user is automatically logged out of the Web Management Interface. De default idle timeout - Netgear SRX5308 | SRX5308 Reference Manual - Page 246
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual You can obtain a digital certificate from a well-known commercial certificate authority (CA) such as Verisign or Thawte, or you can generate and sign your own digital certificate. Because a commercial CA takes steps to verify the - Netgear SRX5308 | SRX5308 Reference Manual - Page 247
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that have been revoked and are no longer valid, that were issued by CAs, and that you uploaded. Note, however, that the table displays only - Netgear SRX5308 | SRX5308 Reference Manual - Page 248
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificate) table. To - Netgear SRX5308 | SRX5308 Reference Manual - Page 249
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Generating a CSR and Obtaining a Self Certificate from a CA To use a self certificate, you must first request the digital certificate from a CA, and then download and activate the digital certificate on the VPN firewall. To request a - Netgear SRX5308 | SRX5308 Reference Manual - Page 250
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in Table 7-7. Table 7-7. Generate Self Certificate Request Settings Setting Name Subject Hash Algorithm Signature Algorithm - Netgear SRX5308 | SRX5308 Reference Manual - Page 251
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-14 5. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from "-----BEGIN CERTIFICATE REQUEST-----" to "-----END CERTIFICATE REQUEST-----." 6. Submit your SCR to a - Netgear SRX5308 | SRX5308 Reference Manual - Page 252
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 11. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Active Self Certificates table. To delete one or - Netgear SRX5308 | SRX5308 Reference Manual - Page 253
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates from the menu. The Certificates screen displays. Figure 7-15 shows the bottom section of the screen with the Certificate Revocation Lists (CRL) - Netgear SRX5308 | SRX5308 Reference Manual - Page 254
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 7-26 Managing Users, Authentication, and Certificates v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 255
cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports support the following traffic rates: • Load balancing mode. 6 Mbps (four WAN ports at 1.5 Mbps each) • Auto-rollover mode. 1.5 Mbps (one active WAN port at 1.5 Mbps) • Single WAN port mode. 1.5 Mbps (one active WAN port at - Netgear SRX5308 | SRX5308 Reference Manual - Page 256
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual As a result, and depending on the traffic that is being carried, the WAN side of the VPN firewall is the limiting factor to throughput for most installations. Using four WAN ports in load balancing mode increases the bandwidth - Netgear SRX5308 | SRX5308 Reference Manual - Page 257
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual When you define outbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an outbound rule. If the desired service - Netgear SRX5308 | SRX5308 Reference Manual - Page 258
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Content Filtering If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall's content filtering feature. By default, this feature is disabled; all requested traffic from any - Netgear SRX5308 | SRX5308 Reference Manual - Page 259
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Warning: This feature is for advanced administrators only! Incorrect configuration might cause serious problems. Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by - Netgear SRX5308 | SRX5308 Reference Manual - Page 260
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • WAN users. You can specify which Internet locations are covered by an inbound rule, based on their IP address: - Any. The rule applies to all Internet IP addresses. - Single address. The rule applies to a single Internet IP address - Netgear SRX5308 | SRX5308 Reference Manual - Page 261
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For information about how to enable the DMZ port, see "Configuring and Enabling the DMZ Port" on page 3-20. For the procedures on how to configure DMZ traffic rules, see "Setting DMZ WAN Rules" on page 4-14. Configuring Exposed Hosts - Netgear SRX5308 | SRX5308 Reference Manual - Page 262
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Assigning Bandwidth Profiles When you apply a QoS profile, the WAN bandwidth does not change. You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile. The purpose of bandwidth - Netgear SRX5308 | SRX5308 Reference Manual - Page 263
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 8-1 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit User screen displays. Figure 8-2 3. Select the Check to Edit Password check box. The password - Netgear SRX5308 | SRX5308 Reference Manual - Page 264
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5. As an option, you can change the idle timeout for an administrator login session. Enter a new number of minutes in the Idle Timeout field. (The default setting is 5 minutes.) 6. Click Apply to save your settings. 7. Repeat step 1 - Netgear SRX5308 | SRX5308 Reference Manual - Page 265
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To configure the VPN firewall for remote management: 1. Select Administration > Remote Management from the menu. The Remote Management screen displays. Figure 8-3 2. Enter the settings as explained in Table 8-1 on page 8-9. Network - Netgear SRX5308 | SRX5308 Reference Manual - Page 266
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 8-1. Remote Management Settings Setting Description (or Subfield and Description) Secure HTTP Management Allow Secure HTTP Management? Note: The IP address and port number to connect to the VPN firewall are shown in this - Netgear SRX5308 | SRX5308 Reference Manual - Page 267
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual . Note: For enhanced security, and if practical, restrict remote management access to a single IP address or a small range of IP addresses. Note: To maintain security, the VPN firewall rejects a login that uses http://address rather - Netgear SRX5308 | SRX5308 Reference Manual - Page 268
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Using the Command-Line Interface You can access the command-line interface (CLI) using the console port on the rear panel of the VPN firewall (see "Rear Panel" on page 1-9). To access the CLI from a communications terminal when the - Netgear SRX5308 | SRX5308 Reference Manual - Page 269
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 8-4 2. In the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in Table 8-2. Table 8-2. SNMP Settings Setting IP Address Subnet Mask Port Community Description (or Subfield and - Netgear SRX5308 | SRX5308 Reference Manual - Page 270
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete one or more SNMP configuration entries: 1. In the SNMP Configuration table on the SNMP screen, select the check box to the left of the entry that you want to delete, or click the Select All table button to select - Netgear SRX5308 | SRX5308 Reference Manual - Page 271
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Managing the Configuration File The configuration settings of the VPN firewall are stored in a configuration file on the VPN firewall. This file can be saved (backed up) to a PC, retrieved (restored) from the PC, or cleared to factory - Netgear SRX5308 | SRX5308 Reference Manual - Page 272
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Backing Up Settings The backup feature saves all VPN firewall settings to a file. These settings include the IP addresses, subnet masks, gateway addresses, and so on. Back up your VPN firewall settings periodically, and store the - Netgear SRX5308 | SRX5308 Reference Manual - Page 273
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. After you have selected the file, click the Restore button. A warning message might appear, and you might have to confirm that you want to restore the configuration. The VPN firewall reboots. An alert message appears indicating - Netgear SRX5308 | SRX5308 Reference Manual - Page 274
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To download a firmware version and upgrade the VPN firewall: 1. Go to the NETGEAR website at http://www.netgear.com/support: a. In the Product Support & Downloads field in the middle of the screen, where it says "Enter model number", - Netgear SRX5308 | SRX5308 Reference Manual - Page 275
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Date and Time Service Configure date, time, and NTP server designations on the Time Zone screen. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers. Setting - Netgear SRX5308 | SRX5308 Reference Manual - Page 276
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 8-3. System Date & Time Settings (continued) Setting NTP Server (default or custom) Description (or Subfield and Description) From the drop-down list, select an NTP server: • Use Default NTP Servers. The VPN firewall's RTC - Netgear SRX5308 | SRX5308 Reference Manual - Page 277
features of the VPN firewall. You can be alerted to important events such as changes in WAN port status, WAN traffic limits reached, hacker probes and login attempts, dropped packets, and more. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and - Netgear SRX5308 | SRX5308 Reference Manual - Page 278
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-1 2. Enter the settings for the WAN1 port as explained in Table 9-1 on page 9-3. 9-2 Monitoring System Access and Performance v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 279
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-1. WAN Traffic Meter Settings Setting Description (or Subfield and Description) Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic • Yes. - Netgear SRX5308 | SRX5308 Reference Manual - Page 280
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-1. WAN Traffic Meter Settings (continued) Setting Description (or Subfield and Description) When Limit is reached Block Traffic Send e-mail alert Select one of the following radio buttons to specify what action the VPN - Netgear SRX5308 | SRX5308 Reference Manual - Page 281
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The incoming and outgoing volume of traffic for each protocol and the total volume of traffic are displayed. Traffic counters are updated in MBs; the counter starts only when traffic passed is at least 1 MB. In addition, the popup - Netgear SRX5308 | SRX5308 Reference Manual - Page 282
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-3 9-6 Monitoring System Access and Performance v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 283
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Enter the settings as explained in Table 9-2. Table 9-2. E-mail and Syslog Settings Setting Description (or Subfield and Description) Log Options Log Identifier Enter the name of the log in the Log Identifier field. The Log - Netgear SRX5308 | SRX5308 Reference Manual - Page 284
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-2. E-mail and Syslog Settings (continued) Setting Description (or Subfield and Description) Enable E-Mail Logs Do you want logs to be emailed to you? Select the Yes radio button to enable the VPN firewall to send logs - Netgear SRX5308 | SRX5308 Reference Manual - Page 285
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-2. E-mail and Syslog Settings (continued) Setting Enable SysLogs Enable Description (or Subfield and Description) Select one of the following radio buttons to configure the syslog server: Yes. The VPN firewall sends a log - Netgear SRX5308 | SRX5308 Reference Manual - Page 286
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • "Viewing and Disconnecting Active Users" on page 9-17. • "Viewing the VPN Tunnel Connection Status" on page 9-18. • "Viewing the VPN Logs" on page 9-19. • "Viewing the Port Triggering Status" on page 9-21. • "Viewing the WAN Port - Netgear SRX5308 | SRX5308 Reference Manual - Page 287
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-4 Viewing the Detailed Status Screen To view the Detailed Status screen: 1. Select Monitoring > Router Status. The Status tabs display, with the Router Status screen in view (see Figure 9-4). 2. Click the Detailed Status - Netgear SRX5308 | SRX5308 Reference Manual - Page 288
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-5 Table 9-4 on page 9-13 explains the fields of the Detailed Status screen. 9-12 Monitoring System Access and Performance v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 289
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-4. Detailed Status Screen Fields Setting Description (or Subfield and Description) LAN Port Configuration The following fields are shown for each of the four LAN port. VLAN Profile The name of the VLAN profile that you - Netgear SRX5308 | SRX5308 Reference Manual - Page 290
the WAN port is physically connected to a modem or router. For information about connecting a WAN port, see the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide. WAN Connection Type The detected type of Internet connection that is used on this port. The WAN connection type - Netgear SRX5308 | SRX5308 Reference Manual - Page 291
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the Router Statistics Screen To view the Router Statistics screen: 1. Select Monitoring > Router Status. The Status tabs display, with the Router Status screen in view (see Figure 9-4 on page 9-11). 2. Click the Show - Netgear SRX5308 | SRX5308 Reference Manual - Page 292
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-5. Router Statistics Screen Fields (continued) Setting Rx B/s Up TIme Description (or Subfield and Description) The number of received bytes per second on the port. The period that the port has been active since it was - Netgear SRX5308 | SRX5308 Reference Manual - Page 293
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-5 explains the fields of the VLAN Status screen. Table 9-6. VLAN Status Screen Fields Setting Profile Name VLAN ID MAC Address Subnet IP DHCP Status Port Membership Description (or Subfield and Description) The unique name - Netgear SRX5308 | SRX5308 Reference Manual - Page 294
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The active user's user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. To disconnect an active user, click the Disconnect table button - Netgear SRX5308 | SRX5308 Reference Manual - Page 295
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-7. IPsec VPN Connection Status Information (continued) Item State Action Description (or Subfield and Description) The current status of the SA. Phase 1 is the authentication phase, and Phase 2 is - Netgear SRX5308 | SRX5308 Reference Manual - Page 296
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-11 To view the SSL VPN log: 1. Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. 2. Click the SSL VPN Logs submenu tab. The SSL VPN Logs screen displays. - Netgear SRX5308 | SRX5308 Reference Manual - Page 297
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering from the menu. The Port Triggering screen displays (see Figure 4-29 on page 4-50). 2. Click the Status option - Netgear SRX5308 | SRX5308 Reference Manual - Page 298
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Status button in the Action column of the WAN interface for which you want to view the connection status. The Connection Status screen appears in a popup window. Figure 9-14 The Connection Status screen displays the - Netgear SRX5308 | SRX5308 Reference Manual - Page 299
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Depending on the type of connection, any of the following buttons might be displayed on the Connection Status screen: • Renew. Click to renew the DHCP lease. • Release. Click to disconnect the DHCP connection. • Disconnect. Click to - Netgear SRX5308 | SRX5308 Reference Manual - Page 300
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The Known PCs and Devices table contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means. Collectively, these entries make up the network - Netgear SRX5308 | SRX5308 Reference Manual - Page 301
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-16 Using the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections: • "Sending a Ping Packet or Tracing a Route" on page 9-26. • "Looking Up a DNS Address - Netgear SRX5308 | SRX5308 Reference Manual - Page 302
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Send a ping packet request to check the connection between the VPN firewall and a specific IP address. The ping results are displayed on the devices can be configured not to respond to a ping. 9-26 Monitoring System - Netgear SRX5308 | SRX5308 Reference Manual - Page 303
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To send a ping request: 1. In the Ping or Trace and IP Address section on the Diagnostics screen, make one of the following selections to specify how the destination should be reached: • If the specified address is - Netgear SRX5308 | SRX5308 Reference Manual - Page 304
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Displaying the Routing Table Displaying the internal routing table can assist NETGEAR Technical Support in diagnosing routing problems. To display the routing table, in the Router Options section on the Diagnostics screen, next to - Netgear SRX5308 | SRX5308 Reference Manual - Page 305
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To capture packets: 1. In the Router Options section on the Diagnostics screen, next to Capture Packets, click the Packet Trace button. The Capture Packets screen appears as a popup window. Figure 9-19 2. - Netgear SRX5308 | SRX5308 Reference Manual - Page 306
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 9-30 Monitoring System Access and Performance v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 307
the VPN firewall's Web Management Interface. Go to "Troubleshooting the Web Management Interface" on page 10-3. • A time-out occurs. Go to "When You Enter a URL or IP Address a Time-Out Error Occurs" on page 10-4. • I cannot access the Internet or the LAN. "Troubleshooting the ISP Connection" on - Netgear SRX5308 | SRX5308 Reference Manual - Page 308
factory defaults. Doing so sets the VPN firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 10-8. If the error persists, you might have a hardware problem and should contact NETGEAR Technical Support. 10-2 Troubleshooting - Netgear SRX5308 | SRX5308 Reference Manual - Page 309
know the current IP address, reset the VPN firewall's configuration to factory defaults. This sets the VPN firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 10-8. Troubleshooting and Using Online Support v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 310
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you do not want to revert to the factory default settings and lose your configuration settings, you can reboot the VPN firewall and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate - Netgear SRX5308 | SRX5308 Reference Manual - Page 311
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Troubleshooting the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 312
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Your ISP might check for your PC's host name. Enter the host name, system name, or account name that was assigned to you by your ISP in the Account Name field on the WAN ISP Settings screen for the WAN interface that you are - Netgear SRX5308 | SRX5308 Reference Manual - Page 313
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Testing the LAN Path to Your VPN Firewall You can ping the VPN firewall from your PC to verify that the LAN path to the VPN firewall is set up correctly. To ping the VPN firewall from a PC running Windows 95 or later: 1. From the - Netgear SRX5308 | SRX5308 Reference Manual - Page 314
in the Router's MAC Address section of the WAN Advanced Options screen for the WAN interface that you are troubleshooting (see "Configuring Advanced WAN Options" on page 2-31). Restoring the Default Configuration and Password To reset the VPN firewall to the original factory default settings, you - Netgear SRX5308 | SRX5308 Reference Manual - Page 315
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 10-1 The VPN firewall reboots. During the reboot process, the Settings Backup & Firmware Upgrade screen might remain visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off. - Netgear SRX5308 | SRX5308 Reference Manual - Page 316
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Problems with Date and Time The Time Zone screen displays the current date and time of day (see "Configuring Date and Time Service" on page 8-21). The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from - Netgear SRX5308 | SRX5308 Reference Manual - Page 317
VPN Firewall Default Configuration Settings Feature Router Login User login URL Administrator user name (case-sensitive) Administrator login password (case-sensitive) Guest user name (case-sensitive) Guest login password (case-sensitive) Internet Connection WAN MAC address WAN MTU size Port speed - Netgear SRX5308 | SRX5308 Reference Manual - Page 318
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-1. VPN Firewall Default Configuration Settings (continued) Feature Default Behavior (continued) RIP authentication DHCP server DHCP starting IP address DHCP starting IP address Disabled Enabled 192.168.1.2 192.168.1.100 - Netgear SRX5308 | SRX5308 Reference Manual - Page 319
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-2. VPN Firewall Physical and Technical Specifications (continued) Feature Environmental Specifications C Operating temperatures F Storage temperatures C F Operating humidity Storage humidity Major Regulatory - Netgear SRX5308 | SRX5308 Reference Manual - Page 320
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-4 shows the SSL VPN specifications for the VPN firewall. Table A-4. VPN Firewall SSL VPN Specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported - Netgear SRX5308 | SRX5308 Reference Manual - Page 321
WAN ports. For one WAN port, you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address. b. If you intend to use several WAN ports, determine whether you will use them in autorollover mode for increased system reliability or load balancing - Netgear SRX5308 | SRX5308 Reference Manual - Page 322
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Protocol binding. - For auto-rollover mode, protocol binding does not apply. - For load balancing mode, decide which protocols should be bound to a specific WAN port. - You can also add your own service protocols to the list. 2. Set - Netgear SRX5308 | SRX5308 Reference Manual - Page 323
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • You can choose a variety of WAN options if the factory default settings are not suitable for your installation. These options include enabling a WAN port to respond to a ping, and setting MTU size, port speed, and upload bandwidth. - Netgear SRX5308 | SRX5308 Reference Manual - Page 324
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • ISP Domain Name Server (DNS) addresses • One or more fixed IP addresses (also known as static IP addresses) Where Do I Get the Internet Configuration Information? There are several ways you can gather the required Internet - Netgear SRX5308 | SRX5308 Reference Manual - Page 325
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Gateway IP Address: Subnet Mask: • ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address Secondary DNS Server IP Address • Host and Domain Names: Some - Netgear SRX5308 | SRX5308 Reference Manual - Page 326
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual These various types of traffic and auto-rollover or load balancing all interact to make the planning process more challenging: • Inbound traffic. Unrequested incoming traffic can be directed to a PC on your LAN rather than being - Netgear SRX5308 | SRX5308 Reference Manual - Page 327
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address. Each IP address is either fixed or dynamic based on the - Netgear SRX5308 | SRX5308 Reference Manual - Page 328
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual In the single WAN case, the WAN's Internet address is either fixed IP or an FQDN if the IP address is dynamic. Figure B-4 Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall's WAN port must be both - Netgear SRX5308 | SRX5308 Reference Manual - Page 329
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port - Netgear SRX5308 | SRX5308 Reference Manual - Page 330
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For a single WAN gateway configuration, use ann FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is different in dual WAN port gateway configurations. • Dual - Netgear SRX5308 | SRX5308 Reference Manual - Page 331
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall such as an VPN firewall: • Single-gateway WAN port - Netgear SRX5308 | SRX5308 Reference Manual - Page 332
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure B-10 The IP addresses of the WAN ports can be either fixed or dynamic, but you must always use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in - Netgear SRX5308 | SRX5308 Reference Manual - Page 333
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration, the remote PC initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as - Netgear SRX5308 | SRX5308 Reference Manual - Page 334
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Gateway-to-Gateway: Dual Gateway WAN Ports - Netgear SRX5308 | SRX5308 Reference Manual - Page 335
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in Figure B-15), and one of the gateways must reestablish the VPN tunnel. Figure B-15 The purpose of the FQDNs is - Netgear SRX5308 | SRX5308 Reference Manual - Page 336
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router. The following situations exemplify the requirements for a remote PC client - Netgear SRX5308 | SRX5308 Reference Manual - Page 337
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto-rollover gateway configuration, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in Figure B-18) - Netgear SRX5308 | SRX5308 Reference Manual - Page 338
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port that is, WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or reestablish - Netgear SRX5308 | SRX5308 Reference Manual - Page 339
on page C-20 • "DHCP Logs" on page C-21 This appendix uses the following log message terms. Table C-1. Log Message Terms Term [SRX5308] [kernel] CODE DEST DPT port. Incoming interface for packet. Outgoing interface for packet. Protocol used. Packet coming from the system only. Source port. Source IP - Netgear SRX5308 | SRX5308 Reference Manual - Page 340
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual System Log Messages This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the VPN firewall. • Logs generated by traffic that is routed or forwarded through - Netgear SRX5308 | SRX5308 Reference Manual - Page 341
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Login/Logout This section describes logs generated by the administrative interfaces of the device. Table C-3. System Logs: Login/Logout Message Nov 28 14:45:42 [SRX5308] [login] Login succeeded: user admin from 192.168.10.10 - Netgear SRX5308 | SRX5308 Reference Manual - Page 342
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Firewall Restart This section describes logs that are generated when the VPN firewall restarts. Table C-6. System Logs: Firewall Restart Message Jan 23 16:20:44 [SRX5308] [wand] [FW] Firewall Restarted Explanation Log - Netgear SRX5308 | SRX5308 Reference Manual - Page 343
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-9. System Logs: Unicast, Redirect (continued) Recommended Action To enable these logs, from the CLI command prompt of the router, enter this command: monitor/firewallLogs/logger/loggerConfig logIcmpRedirect 1 And to - Netgear SRX5308 | SRX5308 Reference Manual - Page 344
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-11. System Logs: WAN Status, Load Balancing (continued) Explanation Message 1 and Message 2 indicate that both the WANs are restarted. Message 3: This message shows that both the WANs are up and the traffic is balanced - Netgear SRX5308 | SRX5308 Reference Manual - Page 345
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual System Logs: WAN Status, Auto-Rollover (continued) Explanation The logs suggest that the failover was detected after 5 attempts instead of 3. However, the reason that the messages appear in the log is because of the WAN state - Netgear SRX5308 | SRX5308 Reference Manual - Page 346
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-12. System Logs: WAN Status, PPPoE Idle Timeout (continued) Explanation Recommended Action Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP - Netgear SRX5308 | SRX5308 Reference Manual - Page 347
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • PPP Authentication Logs Table C-14. System Logs: WAN Status, PPP Authentication Message Explanation Recommended Action Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login - Netgear SRX5308 | SRX5308 Reference Manual - Page 348
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment Messages 1 through 5 2000 Jan 1 04:01:39 [SRX5308] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [SRX5308] [wand] [FW] Firewall Restarted 2000 Jan 1 04:02:29 [ - Netgear SRX5308 | SRX5308 Reference Manual - Page 349
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment (continued) Explanation Recommended Action Message 1-5: IPsec, IKE, and VPN firewall restart. Message 6-7: IPsec and IKE configurations are added with the identifier - Netgear SRX5308 | SRX5308 Reference Manual - Page 350
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-18. System Logs: IPsec VPN Tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN Tunnel Not Reestablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPsec SA configuration: 192.168.11.0/ 24192.168.10 - Netgear SRX5308 | SRX5308 Reference Manual - Page 351
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-20. System Logs: IPsec VPN Tunnel, Dead Peer Detection and Keepalive (Default 30 sec), VPN Tunnel Torn Down Message 1 Message 2 Message 3 Explanation Recommended Action 2000 Jan 1 06:01:18 [SRX5308] [VPNKA] Keep alive to - Netgear SRX5308 | SRX5308 Reference Manual - Page 352
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-21. System Logs: IPsec VPN Tunnel, Client Policy, Tunnel Establishment Messages 1 and 2 2000 Jan 1 02:17:05 [SRX5308] [IKE] Adding IKE configuration with identifier "clientpol1"_ 2000 Jan 1 02:17:05 [SRX5308] [IKE] Adding IPSec - Netgear SRX5308 | SRX5308 Reference Manual - Page 353
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-21. System Logs: IPsec VPN Tunnel, Client Policy, Tunnel Establishment Explanation Recommended Action Message 1-2: IPsec and IKE configurations are added with the identifier "clientpol1." Message 3: The remote configuration - Netgear SRX5308 | SRX5308 Reference Manual - Page 354
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-23. System Logs: IPsec VPN Tunnel, Client Policy Behind a NAT Device Message 3 Message 6 Explanation Recommended Action 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NAT-T with peer 20.0.0.1[4500]_ 2000 Jan 1 01: - Netgear SRX5308 | SRX5308 Reference Manual - Page 355
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-25. System Logs: VPN Log Messages, Port Forwarding, WAN Host and Interface Message 2000 Jan 1 01:30:08 [SRX5308] [portforwarding] id=SRX5308 time="2000-1-1 1:30: 8" fw=20.0.0.2 pri=6 rule=access-policy proto="Port - Netgear SRX5308 | SRX5308 Reference Manual - Page 356
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Routing Logs This section explains the logging messages for the various network segments (such as LAN to WAN) for debugging purposes. These logs might generate a significant volume of messages. LAN to WAN Logs Table C-28. Routing - Netgear SRX5308 | SRX5308 Reference Manual - Page 357
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual WAN to LAN Logs Table C-31. Routing Logs: WAN to LAN Message Nov 29 10:05:15 [SRX5308] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=192.168.1.214 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to - Netgear SRX5308 | SRX5308 Reference Manual - Page 358
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Other Event Logs This section describes the log messages generated by other events such source MAC filtering, session limiting, and bandwidth limiting. For information about - Netgear SRX5308 | SRX5308 Reference Manual - Page 359
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-37. Other Event Logs: Bandwidth Limit, Inbound Bandwidth Profile Message 2000 Jan 1 00:08:21 [SRX5308] [kernel] [BW_LIMIT_DROP] IN=LAN OUT=WAN SRC=22.0.0.2 DST=192.168.100.2 PROTO=ICMP TYPE=112 CODE=113 TC_INDEX=10 CLASSID - Netgear SRX5308 | SRX5308 Reference Manual - Page 360
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual C-22 v1.0, April 2010 System Logs and Error Messages - Netgear SRX5308 | SRX5308 Reference Manual - Page 361
to protect the networks. As part the new maintenance firmware release, NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication (2FA or T-FA) on its SSL and IPsec VPN firewall product line to help address the fast-growing network security issues. What Are - Netgear SRX5308 | SRX5308 Reference Manual - Page 362
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall your password or work, access to the corporate networks and data can also be strengthened using a combination of multiple - Netgear SRX5308 | SRX5308 Reference Manual - Page 363
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The request-response architecture is capable of self-service initialization by end users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token - Netgear SRX5308 | SRX5308 Reference Manual - Page 364
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The one-time passcode is time- 3. The user then proceeds to the Two-Factor Authentication login page and enters the generated one-time passcode as the login password. Figure D-3 D-4 Two-Factor Authentication v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 365
the technologies used in your NETGEAR product. Document TCP/IP Networking Basics Wireless Networking netgear.com/reference/enu/wireless/index.htm http://documentation.netgear.com/reference/enu/wsdhcp/index.htm http://documentation.netgear.com/reference/enu/vpn/index.htm http://documentation.netgear - Netgear SRX5308 | SRX5308 Reference Manual - Page 366
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual E-2 Related Documents v1.0, April 2010 - Netgear SRX5308 | SRX5308 Reference Manual - Page 367
, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen. Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe Gigabit Quad WAN SSL VPN Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The - Netgear SRX5308 | SRX5308 Reference Manual - Page 368
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the - Netgear SRX5308 | SRX5308 Reference Manual - Page 369
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Open SSL above copyright notice, this list of conditions, and LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; make and use derivative works provided that such works are identified as "derived - Netgear SRX5308 | SRX5308 Reference Manual - Page 370
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED "AS FITNESS FOR A PARTICULAR PURPOSE. zlib.h. Interface of the zlib general purpose compression library - Netgear SRX5308 | SRX5308 Reference Manual - Page 371
Web cache cleaner, SSL VPN 6-7 address reservation 3-19 Address Resolution Protocol. See ARP. administrator default name and password 2-4 idle timeout, changing 8-10 login policies 8-10 passwords, changing 8-9 receiving logs by email 9-8 settings (admin) 8-8 tips, for firewall and content filtering - Netgear SRX5308 | SRX5308 Reference Manual - Page 372
8-18 managing 8-17 restoring 8-18 reverting to defaults 8-19 configuration menu (Web Management Interface) 2-5 configuration, default settings A-1 connection, WAN, speed and type 2-34 console port 1-10 content filtering about 1-4 blocking Internet sites 4-41 configuring 4-42 cookies, blocking 4-42 - Netgear SRX5308 | SRX5308 Reference Manual - Page 373
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual CRL (Certificate Revocation List) 7-19, 7-24 crossover cable 1-5, 10-3 CSR (Certificate Signing Request) 7-21 custom services, firewall 4-3, 4-31 customer support, NETGEAR ii D Data Encryption Standard. See DES. database, local - Netgear SRX5308 | SRX5308 Reference Manual - Page 374
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual subnet mask 3-22 DNS (domain name server) automatic configuration of PCs 1-5 dynamic 2-27 looking up an address 9-27 ModeConfig 5-45 proxy 1-5, 3-5, 3-10, 3-24 queries, auto-rollover 2-18 server IP addresses 3-9 DMZ (demilitarized - Netgear SRX5308 | SRX5308 Reference Manual - Page 375
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual auto-rollover mode 2-28 load balancing mode 2-28 multiple WAN ports 5-1, 5-2, B-1, B-9 SSL VPN, port forwarding 6-3 VPN tunnels 5-2 front panel LEDs 1-8 ports 1-7 fully qualified domain names. See FQDNs. G gateway IP address, ISP 2- - Netgear SRX5308 | SRX5308 Reference Manual - Page 376
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual DNS servers 2-15, 3-9, 3-23 dynamically assigned 2-14 gateway, ISP 2-14 LAN, multi-home 3-12 MAC binding 4-46 port forwarding, SSL VPN 6-9 reserved 3-19 secondary LAN 3-12 WAN 2-25 static or permanent 2-10, 2-14 subnet mask default - Netgear SRX5308 | SRX5308 Reference Manual - Page 377
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual local area network. See LAN. local user database 7-4 location, placement of the VPN firewall 1-11 lock, security 1-10 log messages (system logs and error messages) DHCP C-21 other events C-20 routing C-18 system C-2 understanding - Netgear SRX5308 | SRX5308 Reference Manual - Page 378
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual planning, multiple WAN ports B-1 resources, SSL VPN 6-14 Network Access Server. See NAS. Network Address Translation. See NAT. network database adding PCs or devices 3-17 advantages 3-15 Known PCs and Devices table 3-16, 9-24 - Netgear SRX5308 | SRX5308 Reference Manual - Page 379
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual manually generated (manual) 5-29 SSL VPN managing 6-17 settings 6-20 policy hierarchy 6-17 pools, ModeConfig 5-45 port filtering. See service blocking. port forwarding firewall rules 4-3, 4-6 increasing traffic 4-7 reducing traffic - Netgear SRX5308 | SRX5308 Reference Manual - Page 380
Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual RADIUS-CHAP 5-28, 5-37, 5-38, 7-4 RADIUS-MSCHAP(v2) 7-4 RADIUS-PAP 5-28, 5-37, 5-38, 7-4 server, configuring 5-39 rate-limiting, traffic 2-34 read/write access 7-9 read-only access 7-9 rebooting, remotely 9-28 reducing traffic blocking - Netgear SRX5308 | SRX5308 Reference Manual - Page 381
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual ModeConfig 5-46 self certificate requests 7-22 VPN policies 5-35 signature key length 7-22 Simple Network Management Protocol. See SNMP. single WAN port mode. See primary WAN mode. SIP (Session Initiation Protocol) 4-30 sniffer 10-4 - Netgear SRX5308 | SRX5308 Reference Manual - Page 382
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual tabs, submenu (Web Management Interface) 2-5 tags, meta 6-6 TCP flood, blocking 4-27 time-out 4-30 TCP/IP, network, troubleshooting 10-6 technical specifications A-2 technical support, NETGEAR ii Telnet, management 8-12 Test LED - Netgear SRX5308 | SRX5308 Reference Manual - Page 383
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual V vendor class identifier 2-14 videoconferencing DMZ port 3-20 from restricted address 4-21 virtual LAN. See VLAN. Virtual Private Network Consortium. See VPNC. virtual private network. See VPN tunnels. VLAN advantages 3-2 - Netgear SRX5308 | SRX5308 Reference Manual - Page 384
SSL VPN Firewall SRX5308 Reference Manual W WAN advanced settings 2-32 aliases 2-25 auto-rollover mode configuring 2-18 DDNS 2-28 description 2-16 settings 2-19 VPN IPsec 5-1 bandwidth capacity 8-1 classical routing mode 2-17 connection speed and type 2-34 connection type, viewing 9-14 default port
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
 |
 |
202-10536-01
April 2010
v1.0
NETGEAR
, Inc.
350 East Plumeria Drive
San Jose, CA 95134
ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
Reference Manual