Home » Netgear Manuals » Network Security & Firewall Devices » Netgear SRX5308 » Manual Viewer

Netgear SRX5308 SRX5308 Reference Manual - Page 220

Viewing Policies, SSL VPN

UPC - 606449065145

Add to My Manuals
Save this manual to your list of manuals

Page 220 highlights

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: • Policy 1. A Deny rule has been configured to block all services to the IP address range 10.0.0.0 - 10.0.0.255. • Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2-10.0.1.10. • Policy 3. A Permit rule has been configured to allow FTP access to the predefined network resource with the name FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5-10.0.0.20 and the FQDN ftp.company.com, which resolves to 10.0.1.3. Assuming that no conflicting user or group policies have been configured, if a user would attempt to access: • an FTP server at 10.0.0.1, the user would be blocked by Policy 1. • an FTP server at 10.0.1.5, the user would be blocked by Policy 2. • an FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range 10.0.0.5-10.0.0.20 is more specific than the IP address range that is defined in Policy 1. • an FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range that is configured in Policy 2. Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The VPN firewall's policy engine does not perform reverse DNS lookups. Viewing Policies To view the existing policies, follow these steps: 1. Select VPN > SSL VPN from the menu. The SSL VPN submenu tabs display, with the Policies screen in view. (Figure 6-7 on page 6-19 shows some examples.) 6-18 Virtual Private Networking Using SSL Connections v1.0, April 2010

Section	Page
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual	1
Contents	3
About This Manual	11
Conventions, Formats, and Scope	11
How to Print This Manual	12
Revision History	12
Chapter 1 Introduction	13
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall?	13
Key Features and Capabilities	14
Quad-WAN Ports for Increased Reliability and Outbound Load Balancing	15
Advanced VPN Support for Both IPsec and SSL	15
A Powerful, True Firewall with Content Filtering	16
Security Features	16
Autosensing Ethernet Connections with Auto Uplink	17
Extensive Protocol Support	17
Easy Installation and Management	18
Maintenance and Support	18
Package Contents	19
Hardware Features	19
Front Panel	19
Rear Panel	21
Bottom Panel with Product Label	22
Choosing a Location for the SRX5308	23
Using the Rack-Mounting Kit	23
Chapter 2 Connecting the VPN Firewall to the Internet	25
Understanding the Internet and WAN Configuration Tasks	25
Qualified Web Browsers	26
Logging In to the VPN Firewall	27
Understanding the Web Management Interface Menu Layout	29
Configuring the Internet Connections	31
Automatically Detecting and Connecting	31
Setting the VPN Firewall’s MAC Address	35
Manually Configuring the Internet Connection	35
Configuring the WAN Mode	40
Configuring Network Address Translation	40
Configuring Classical Routing	41
Configuring the Auto-Rollover Mode and Failure Detection Method	42
Configuring Auto-Rollover Mode	42
Configuring the Failure Detection Method	44
Configuring Load Balancing and Optional Protocol Binding	45
Configuring Load Balancing	46
Configuring Protocol Binding (Optional)	47
Configuring Secondary WAN Addresses	49
Configuring Dynamic DNS	51
Configuring Advanced WAN Options	55
Additional WAN-Related Configuration Tasks	58
What to Do Next	59
Chapter 3 LAN Configuration	61
Managing Virtual LANs and DHCP Options	61
Understanding the VPN Firewall’s Port-Based VLANs	62
Assigning and Managing VLAN Profiles	63
VLAN DHCP Options	64
DHCP Server	64
DHCP Relay	65
DNS Proxy	65
LDAP Server	66
Configuring a VLAN Profile	66
Configuring VLAN MAC Addresses and LAN Advanced Settings	71
Configuring Multi-Home LAN IP Addresses on the Default VLAN	72
Managing Groups and Hosts (LAN Groups)	74
Managing the Network Database	75
Adding PCs or Devices to the Network Database	77
Editing PCs or Devices in the Network Database	78
Changing Group Names in the Network Database	78
Setting Up Address Reservation	79
Configuring and Enabling the DMZ Port	80
Managing Routing	84
Configuring Static Routes	85
Configuring Routing Information Protocol	87
Static Route Example	89
Chapter 4 Firewall Protection	91
About Firewall Protection	91
Administrator Tips	92
Using Rules to Block or Allow Specific Kinds of Traffic	92
Services-Based Rules	93
Outbound Rules (Service Blocking)	94
Inbound Rules (Port Forwarding)	96
Order of Precedence for Rules	100
Setting LAN WAN Rules	101
LAN WAN Outbound Services Rules	102
LAN WAN Inbound Services Rules	103
Setting DMZ WAN Rules	104
DMZ WAN Outbound Services Rules	106
DMZ WAN Inbound Services Rules	107
Setting LAN DMZ Rules	108
LAN DMZ Outbound Services Rules	109
LAN DMZ Inbound Services Rules	110
Inbound Rules Examples	111
LAN WAN Inbound Rule: Hosting a Local Public Web Server	111
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	111
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	112
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	114
Outbound Rules Example	115
LAN WAN Outbound Rule: Blocking Instant Messenger	115
Configuring Other Firewall Features	116
Attack Checks	116
Setting Session Limits	119
Managing the Application Level Gateway for SIP Sessions	120
Creating Services, QoS Profiles, and Bandwidth Profiles	121
Adding Customized Services	121
Creating Quality of Service (QoS) Profiles	124
Creating Bandwidth Profiles	127
Setting a Schedule to Block or Allow Specific Traffic	130
Content Filtering (Blocking Internet Sites)	131
Understanding the VPN Firewall’s Content Filtering	131
Enabling and Configuring Content Filtering	132
Enabling Source MAC Filtering	134
Setting Up IP/MAC Bindings	136
Configuring Port Triggering	138
Configuring Universal Plug and Play	141
Chapter 5 Virtual Private Networking Using IPsec Connections	143
Considerations for Multi-WAN Port Systems	143
Using the IPsec VPN Wizard for Client and Gateway Configurations	145
Creating Gateway-to-Gateway VPN Tunnels with the Wizard	145
Creating a Client to Gateway VPN Tunnel	150
Using the VPN Wizard Configure the Gateway for a Client Tunnel	150
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	153
Testing the Connections and Viewing Status Information	158
Testing the VPN Connection	158
NETGEAR VPN Client Status and Log Information	159
Viewing the VPN Firewall IPsec VPN Connection Status	161
Viewing the VPN Firewall IPSec VPN Logs	162
Managing IPsec VPN Policies	162
Configuring IKE Policies	163
IKE Policies Screen	164
Manually Adding or Editing an IKE Policy	165
Configuring VPN Policies	171
VPN Policies Screen	171
Manually Adding or Editing a VPN Policy	173
Configuring Extended Authentication (XAUTH)	179
Configuring XAUTH for VPN Clients	180
User Database Configuration	181
RADIUS Client Configuration	181
Assigning IP Addresses to Remote Users (Mode Config)	184
Mode Config Operation	184
Configuring Mode Config Operation on the VPN Firewall	184
Configuring the ProSafe VPN Client for Mode Config Operation	192
Testing the Mode Config Connection	197
Configuring Keepalives and Dead Peer Detection	197
Configuring Keepalives	198
Configuring Dead Peer Detection	199
Configuring NetBIOS Bridging with IPsec VPN	201
Chapter 6 Virtual Private Networking Using SSL Connections	203
Understanding the SSL VPN Portal Options	203
Planning for an SSL VPN	204
Creating the Portal Layout	206
Configuring Domains, Groups, and Users	209
Configuring Applications for Port Forwarding	210
Adding Servers and Port Numbers	210
Adding a New Host Name	212
Configuring the SSL VPN Client	212
Configuring the Client IP Address Range	213
Adding Routes for VPN Tunnel Clients	215
Using Network Resource Objects to Simplify Policies	216
Adding New Network Resources	216
Editing Network Resources to Specify Addresses	217
Configuring User, Group, and Global Policies	219
Viewing Policies	220
Adding a Policy	221
Accessing the SSL Portal Login Screen	225
Viewing the SSL VPN Connection Status and SSL VPN Logs	227
Chapter 7 Managing Users, Authentication, and Certificates	229
Configuring VPN Authentication Domains, Groups, and Users	229
Configuring Domains	230
Configuring Groups for VPN Policies	234
Creating and Deleting Groups	234
Editing Groups	236
Configuring User Accounts	237
Setting User Login Policies	239
Configuring Login Policies	239
Configuring Login Restrictions Based on IP Address	240
Configuring Login Restrictions Based on Web Browser	242
Changing Passwords and Other User Settings	243
Managing Digital Certificates	245
Understanding the Certificates Screen	246
Managing CA Certificates	247
Managing Self Certificates	248
Generating a CSR and Obtaining a Self Certificate from a CA	249
Viewing and Managing Self Certificates	252
Managing the Certificate Revocation List	252
Chapter 8 Network and System Management	255
Performance Management	255
Bandwidth Capacity	255
Features That Reduce Traffic	256
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)	256
Content Filtering	258
Source MAC Filtering	258
Features That Increase Traffic	258
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)	258
Port Triggering	260
Configuring the DMZ Port	260
For information about how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 3-20. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 4-14.	261
Configuring Exposed Hosts	261
Configuring VPN Tunnels	261
Using QoS and Bandwidth Assignment to Shift the Traffic Mix	261
Assigning QoS Profiles	261
Monitoring Tools for Traffic Management	262
System Management	262
Changing Passwords and Administrator Settings	262
Configuring Remote Management Access	264
Using the Command-Line Interface	268
Using a Simple Network Management Protocol Manager	268
Managing the SNMP Configuration	268
Managing the VPN Firewall’s SNMP System Information	270
Managing the Configuration File	271
Backing Up Settings	272
Restoring Settings	272
Reverting to Factory Default Settings	273
Upgrading the Firmware and Rebooting the VPN Firewall	273
Configuring Date and Time Service	275
Chapter 9 Monitoring System Access and Performance	277
Enabling the WAN Traffic Meter	277
Activating Notification of Events, Alerts, and Syslogs	281
Viewing Status and Log Screens	285
Viewing the System (Router) Status and Statistics	286
Viewing the Router Status Screen	286
Viewing the Detailed Status Screen	287
Viewing the Router Statistics Screen	291
Viewing the VLAN Status	292
Viewing and Disconnecting Active Users	293
Viewing the VPN Tunnel Connection Status	294
Viewing the VPN Logs	295
Viewing the Port Triggering Status	297
Viewing the WAN Port Connection Status	297
Viewing the Attached Devices and DHCP Log	299
Viewing Attached Devices	299
Viewing the DHCP Log	300
Using the Diagnostics Utilities	301
Sending a Ping Packet or Tracing a Route	302
Looking Up a DNS Address	303
Displaying the Routing Table	304
Rebooting the VPN Firewall	304
Capturing Packets	304
Chapter 10 Troubleshooting and Using Online Support	307
Basic Functioning	308
Power LED Not On	308
Test LED Never Turns Off	308
LAN or WAN Port LEDs Not On	309
Troubleshooting the Web Management Interface	309
When You Enter a URL or IP Address a Time-Out Error Occurs	310
Troubleshooting the ISP Connection	311
Troubleshooting a TCP/IP Network Using the Ping Utility	312
Testing the LAN Path to Your VPN Firewall	313
Testing the Path from Your PC to a Remote Device	313
Restoring the Default Configuration and Password	314
Problems with Date and Time	316
Accessing the Knowledge Base and Documentation	316
Appendix A Default Settings and Technical Specifications	317
Appendix B Network Planning for Multiple WAN Ports	321
What to Consider Before You Begin	321
Cabling and Computer Hardware Requirements	323
Computer Network Configuration Requirements	323
Internet Configuration Requirements	323
Where Do I Get the Internet Configuration Information?	324
Internet Connection Information	324
Overview of the Planning Process	325
Inbound Traffic	327
Inbound Traffic to a Single WAN Port System	327
Inbound Traffic to a Dual WAN Port System	328
Inbound Traffic: Dual WAN Ports for Improved Reliability	328
Inbound Traffic: Dual WAN Ports for Load Balancing	328
Virtual Private Networks	329
VPN Road Warrior (Client-to-Gateway)	331
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	331
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	331
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	333
VPN Gateway-to-Gateway	333
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	333
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	334
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	335
VPN Telecommuter (Client-to-Gateway through a NAT Router)	336
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	336
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	337
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	338
Appendix C System Logs and Error Messages	339
System Log Messages	340
NTP	340
Login/Logout	341
System Startup	341
Reboot	341
Firewall Restart	342
IPsec Restart	342
Unicast, Multicast, and Broadcast Logs	342
ICMP Redirect Logs	342
Multicast/Broadcast Logs	343
WAN Status	343
Load Balancing	343
Auto-Rollover	344
PPP Logs	345
Resolved DNS Names	347
VPN Log Messages	347
IPsec VPN Logs	347
SSL VPN Logs	354
Traffic Meter Logs	355
Routing Logs	356
LAN to WAN Logs	356
LAN to DMZ Logs	356
DMZ to WAN Logs	356
WAN to LAN Logs	357
DMZ to LAN Logs	357
WAN to DMZ Logs	357
Other Event Logs	358
Session Limit Logs	358
Source MAC Filter Logs	358
Bandwidth Limit Logs	358
DHCP Logs	359
Appendix D Two-Factor Authentication	361
Why Do I Need Two-Factor Authentication?	361
What Are the Benefits of Two-Factor Authentication?	361
What Is Two-Factor Authentication	362
NETGEAR Two-Factor Authentication Solutions	362
Appendix E Related Documents	365
Appendix F Notification of Compliance	367

Match case Limit results 1 per page

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual

6-18

Virtual Private Networking Using SSL Connections

v1.0, April 2010

For example, a policy that is configured for a single IP address takes precedence over a policy that

is configured for a range of addresses. And a policy that applies to a range of IP addresses takes

precedence over a policy that is applied to all IP addresses. If two or more IP address ranges are

configured, then the smallest address range takes precedence. Host names are treated the same as

individual IP addresses.

Network resources are prioritized just like other address ranges. However, the prioritization is

based on the individual address or address range, not the entire network resource.

For example, assume the following global policy configuration:

•

Policy 1. A Deny rule has been configured to block all services to the IP address range

10.0.0.0 – 10.0.0.255.

•

Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10.

•

Policy 3. A Permit rule has been configured to allow FTP access to the predefined network

resource with the name FTP Servers. The FTP Servers network resource includes the

following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.

company

.com, which resolves to

10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user would attempt

to access:

•

an FTP server at 10.0.0.1, the user would be blocked by Policy 1.

•

an FTP server at 10.0.1.5, the user would be blocked by Policy 2.

•

an FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range

10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.

•

an FTP server at ftp.

company

.com, the user would be granted access by Policy 3. A single host

name is more specific than the IP address range that is configured in Policy 2.

Viewing Policies

To view the existing policies, follow these steps:

Select

VPN

SSL VPN

from the menu. The SSL VPN submenu tabs display, with the

Policies screen in view. (

Figure 6-7 on page 6-19

shows some examples.)

Note:

The user would not be able to access ftp.

company

.com using its IP address

10.0.1.3. The VPN firewall’s policy engine does not perform reverse DNS

lookups.