| Section |
Page |
| ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual |
1 |
| Contents |
3 |
| About This Manual |
11 |
| Conventions, Formats, and Scope |
11 |
| How to Print This Manual |
12 |
| Revision History |
12 |
| Chapter 1 Introduction |
13 |
| What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall? |
13 |
| Key Features and Capabilities |
14 |
| Quad-WAN Ports for Increased Reliability and Outbound Load Balancing |
15 |
| Advanced VPN Support for Both IPsec and SSL |
15 |
| A Powerful, True Firewall with Content Filtering |
16 |
| Security Features |
16 |
| Autosensing Ethernet Connections with Auto Uplink |
17 |
| Extensive Protocol Support |
17 |
| Easy Installation and Management |
18 |
| Maintenance and Support |
18 |
| Package Contents |
19 |
| Hardware Features |
19 |
| Front Panel |
19 |
| Rear Panel |
21 |
| Bottom Panel with Product Label |
22 |
| Choosing a Location for the SRX5308 |
23 |
| Using the Rack-Mounting Kit |
23 |
| Chapter 2 Connecting the VPN Firewall to the Internet |
25 |
| Understanding the Internet and WAN Configuration Tasks |
25 |
| Qualified Web Browsers |
26 |
| Logging In to the VPN Firewall |
27 |
| Understanding the Web Management Interface Menu Layout |
29 |
| Configuring the Internet Connections |
31 |
| Automatically Detecting and Connecting |
31 |
| Setting the VPN Firewall’s MAC Address |
35 |
| Manually Configuring the Internet Connection |
35 |
| Configuring the WAN Mode |
40 |
| Configuring Network Address Translation |
40 |
| Configuring Classical Routing |
41 |
| Configuring the Auto-Rollover Mode and Failure Detection Method |
42 |
| Configuring Auto-Rollover Mode |
42 |
| Configuring the Failure Detection Method |
44 |
| Configuring Load Balancing and Optional Protocol Binding |
45 |
| Configuring Load Balancing |
46 |
| Configuring Protocol Binding (Optional) |
47 |
| Configuring Secondary WAN Addresses |
49 |
| Configuring Dynamic DNS |
51 |
| Configuring Advanced WAN Options |
55 |
| Additional WAN-Related Configuration Tasks |
58 |
| What to Do Next |
59 |
| Chapter 3 LAN Configuration |
61 |
| Managing Virtual LANs and DHCP Options |
61 |
| Understanding the VPN Firewall’s Port-Based VLANs |
62 |
| Assigning and Managing VLAN Profiles |
63 |
| VLAN DHCP Options |
64 |
| DHCP Server |
64 |
| DHCP Relay |
65 |
| DNS Proxy |
65 |
| LDAP Server |
66 |
| Configuring a VLAN Profile |
66 |
| Configuring VLAN MAC Addresses and LAN Advanced Settings |
71 |
| Configuring Multi-Home LAN IP Addresses on the Default VLAN |
72 |
| Managing Groups and Hosts (LAN Groups) |
74 |
| Managing the Network Database |
75 |
| Adding PCs or Devices to the Network Database |
77 |
| Editing PCs or Devices in the Network Database |
78 |
| Changing Group Names in the Network Database |
78 |
| Setting Up Address Reservation |
79 |
| Configuring and Enabling the DMZ Port |
80 |
| Managing Routing |
84 |
| Configuring Static Routes |
85 |
| Configuring Routing Information Protocol |
87 |
| Static Route Example |
89 |
| Chapter 4 Firewall Protection |
91 |
| About Firewall Protection |
91 |
| Administrator Tips |
92 |
| Using Rules to Block or Allow Specific Kinds of Traffic |
92 |
| Services-Based Rules |
93 |
| Outbound Rules (Service Blocking) |
94 |
| Inbound Rules (Port Forwarding) |
96 |
| Order of Precedence for Rules |
100 |
| Setting LAN WAN Rules |
101 |
| LAN WAN Outbound Services Rules |
102 |
| LAN WAN Inbound Services Rules |
103 |
| Setting DMZ WAN Rules |
104 |
| DMZ WAN Outbound Services Rules |
106 |
| DMZ WAN Inbound Services Rules |
107 |
| Setting LAN DMZ Rules |
108 |
| LAN DMZ Outbound Services Rules |
109 |
| LAN DMZ Inbound Services Rules |
110 |
| Inbound Rules Examples |
111 |
| LAN WAN Inbound Rule: Hosting a Local Public Web Server |
111 |
| LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses |
111 |
| LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping |
112 |
| LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host |
114 |
| Outbound Rules Example |
115 |
| LAN WAN Outbound Rule: Blocking Instant Messenger |
115 |
| Configuring Other Firewall Features |
116 |
| Attack Checks |
116 |
| Setting Session Limits |
119 |
| Managing the Application Level Gateway for SIP Sessions |
120 |
| Creating Services, QoS Profiles, and Bandwidth Profiles |
121 |
| Adding Customized Services |
121 |
| Creating Quality of Service (QoS) Profiles |
124 |
| Creating Bandwidth Profiles |
127 |
| Setting a Schedule to Block or Allow Specific Traffic |
130 |
| Content Filtering (Blocking Internet Sites) |
131 |
| Understanding the VPN Firewall’s Content Filtering |
131 |
| Enabling and Configuring Content Filtering |
132 |
| Enabling Source MAC Filtering |
134 |
| Setting Up IP/MAC Bindings |
136 |
| Configuring Port Triggering |
138 |
| Configuring Universal Plug and Play |
141 |
| Chapter 5 Virtual Private Networking Using IPsec Connections |
143 |
| Considerations for Multi-WAN Port Systems |
143 |
| Using the IPsec VPN Wizard for Client and Gateway Configurations |
145 |
| Creating Gateway-to-Gateway VPN Tunnels with the Wizard |
145 |
| Creating a Client to Gateway VPN Tunnel |
150 |
| Using the VPN Wizard Configure the Gateway for a Client Tunnel |
150 |
| Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection |
153 |
| Testing the Connections and Viewing Status Information |
158 |
| Testing the VPN Connection |
158 |
| NETGEAR VPN Client Status and Log Information |
159 |
| Viewing the VPN Firewall IPsec VPN Connection Status |
161 |
| Viewing the VPN Firewall IPSec VPN Logs |
162 |
| Managing IPsec VPN Policies |
162 |
| Configuring IKE Policies |
163 |
| IKE Policies Screen |
164 |
| Manually Adding or Editing an IKE Policy |
165 |
| Configuring VPN Policies |
171 |
| VPN Policies Screen |
171 |
| Manually Adding or Editing a VPN Policy |
173 |
| Configuring Extended Authentication (XAUTH) |
179 |
| Configuring XAUTH for VPN Clients |
180 |
| User Database Configuration |
181 |
| RADIUS Client Configuration |
181 |
| Assigning IP Addresses to Remote Users (Mode Config) |
184 |
| Mode Config Operation |
184 |
| Configuring Mode Config Operation on the VPN Firewall |
184 |
| Configuring the ProSafe VPN Client for Mode Config Operation |
192 |
| Testing the Mode Config Connection |
197 |
| Configuring Keepalives and Dead Peer Detection |
197 |
| Configuring Keepalives |
198 |
| Configuring Dead Peer Detection |
199 |
| Configuring NetBIOS Bridging with IPsec VPN |
201 |
| Chapter 6 Virtual Private Networking Using SSL Connections |
203 |
| Understanding the SSL VPN Portal Options |
203 |
| Planning for an SSL VPN |
204 |
| Creating the Portal Layout |
206 |
| Configuring Domains, Groups, and Users |
209 |
| Configuring Applications for Port Forwarding |
210 |
| Adding Servers and Port Numbers |
210 |
| Adding a New Host Name |
212 |
| Configuring the SSL VPN Client |
212 |
| Configuring the Client IP Address Range |
213 |
| Adding Routes for VPN Tunnel Clients |
215 |
| Using Network Resource Objects to Simplify Policies |
216 |
| Adding New Network Resources |
216 |
| Editing Network Resources to Specify Addresses |
217 |
| Configuring User, Group, and Global Policies |
219 |
| Viewing Policies |
220 |
| Adding a Policy |
221 |
| Accessing the SSL Portal Login Screen |
225 |
| Viewing the SSL VPN Connection Status and SSL VPN Logs |
227 |
| Chapter 7 Managing Users, Authentication, and Certificates |
229 |
| Configuring VPN Authentication Domains, Groups, and Users |
229 |
| Configuring Domains |
230 |
| Configuring Groups for VPN Policies |
234 |
| Creating and Deleting Groups |
234 |
| Editing Groups |
236 |
| Configuring User Accounts |
237 |
| Setting User Login Policies |
239 |
| Configuring Login Policies |
239 |
| Configuring Login Restrictions Based on IP Address |
240 |
| Configuring Login Restrictions Based on Web Browser |
242 |
| Changing Passwords and Other User Settings |
243 |
| Managing Digital Certificates |
245 |
| Understanding the Certificates Screen |
246 |
| Managing CA Certificates |
247 |
| Managing Self Certificates |
248 |
| Generating a CSR and Obtaining a Self Certificate from a CA |
249 |
| Viewing and Managing Self Certificates |
252 |
| Managing the Certificate Revocation List |
252 |
| Chapter 8 Network and System Management |
255 |
| Performance Management |
255 |
| Bandwidth Capacity |
255 |
| Features That Reduce Traffic |
256 |
| LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) |
256 |
| Content Filtering |
258 |
| Source MAC Filtering |
258 |
| Features That Increase Traffic |
258 |
| LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) |
258 |
| Port Triggering |
260 |
| Configuring the DMZ Port |
260 |
| For information about how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 3-20. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 4-14. |
261 |
| Configuring Exposed Hosts |
261 |
| Configuring VPN Tunnels |
261 |
| Using QoS and Bandwidth Assignment to Shift the Traffic Mix |
261 |
| Assigning QoS Profiles |
261 |
| Monitoring Tools for Traffic Management |
262 |
| System Management |
262 |
| Changing Passwords and Administrator Settings |
262 |
| Configuring Remote Management Access |
264 |
| Using the Command-Line Interface |
268 |
| Using a Simple Network Management Protocol Manager |
268 |
| Managing the SNMP Configuration |
268 |
| Managing the VPN Firewall’s SNMP System Information |
270 |
| Managing the Configuration File |
271 |
| Backing Up Settings |
272 |
| Restoring Settings |
272 |
| Reverting to Factory Default Settings |
273 |
| Upgrading the Firmware and Rebooting the VPN Firewall |
273 |
| Configuring Date and Time Service |
275 |
| Chapter 9 Monitoring System Access and Performance |
277 |
| Enabling the WAN Traffic Meter |
277 |
| Activating Notification of Events, Alerts, and Syslogs |
281 |
| Viewing Status and Log Screens |
285 |
| Viewing the System (Router) Status and Statistics |
286 |
| Viewing the Router Status Screen |
286 |
| Viewing the Detailed Status Screen |
287 |
| Viewing the Router Statistics Screen |
291 |
| Viewing the VLAN Status |
292 |
| Viewing and Disconnecting Active Users |
293 |
| Viewing the VPN Tunnel Connection Status |
294 |
| Viewing the VPN Logs |
295 |
| Viewing the Port Triggering Status |
297 |
| Viewing the WAN Port Connection Status |
297 |
| Viewing the Attached Devices and DHCP Log |
299 |
| Viewing Attached Devices |
299 |
| Viewing the DHCP Log |
300 |
| Using the Diagnostics Utilities |
301 |
| Sending a Ping Packet or Tracing a Route |
302 |
| Looking Up a DNS Address |
303 |
| Displaying the Routing Table |
304 |
| Rebooting the VPN Firewall |
304 |
| Capturing Packets |
304 |
| Chapter 10 Troubleshooting and Using Online Support |
307 |
| Basic Functioning |
308 |
| Power LED Not On |
308 |
| Test LED Never Turns Off |
308 |
| LAN or WAN Port LEDs Not On |
309 |
| Troubleshooting the Web Management Interface |
309 |
| When You Enter a URL or IP Address a Time-Out Error Occurs |
310 |
| Troubleshooting the ISP Connection |
311 |
| Troubleshooting a TCP/IP Network Using the Ping Utility |
312 |
| Testing the LAN Path to Your VPN Firewall |
313 |
| Testing the Path from Your PC to a Remote Device |
313 |
| Restoring the Default Configuration and Password |
314 |
| Problems with Date and Time |
316 |
| Accessing the Knowledge Base and Documentation |
316 |
| Appendix A Default Settings and Technical Specifications |
317 |
| Appendix B Network Planning for Multiple WAN Ports |
321 |
| What to Consider Before You Begin |
321 |
| Cabling and Computer Hardware Requirements |
323 |
| Computer Network Configuration Requirements |
323 |
| Internet Configuration Requirements |
323 |
| Where Do I Get the Internet Configuration Information? |
324 |
| Internet Connection Information |
324 |
| Overview of the Planning Process |
325 |
| Inbound Traffic |
327 |
| Inbound Traffic to a Single WAN Port System |
327 |
| Inbound Traffic to a Dual WAN Port System |
328 |
| Inbound Traffic: Dual WAN Ports for Improved Reliability |
328 |
| Inbound Traffic: Dual WAN Ports for Load Balancing |
328 |
| Virtual Private Networks |
329 |
| VPN Road Warrior (Client-to-Gateway) |
331 |
| VPN Road Warrior: Single Gateway WAN Port (Reference Case) |
331 |
| VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability |
331 |
| VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing |
333 |
| VPN Gateway-to-Gateway |
333 |
| VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) |
333 |
| VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability |
334 |
| VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing |
335 |
| VPN Telecommuter (Client-to-Gateway through a NAT Router) |
336 |
| VPN Telecommuter: Single Gateway WAN Port (Reference Case) |
336 |
| VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability |
337 |
| VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing |
338 |
| Appendix C System Logs and Error Messages |
339 |
| System Log Messages |
340 |
| NTP |
340 |
| Login/Logout |
341 |
| System Startup |
341 |
| Reboot |
341 |
| Firewall Restart |
342 |
| IPsec Restart |
342 |
| Unicast, Multicast, and Broadcast Logs |
342 |
| ICMP Redirect Logs |
342 |
| Multicast/Broadcast Logs |
343 |
| WAN Status |
343 |
| Load Balancing |
343 |
| Auto-Rollover |
344 |
| PPP Logs |
345 |
| Resolved DNS Names |
347 |
| VPN Log Messages |
347 |
| IPsec VPN Logs |
347 |
| SSL VPN Logs |
354 |
| Traffic Meter Logs |
355 |
| Routing Logs |
356 |
| LAN to WAN Logs |
356 |
| LAN to DMZ Logs |
356 |
| DMZ to WAN Logs |
356 |
| WAN to LAN Logs |
357 |
| DMZ to LAN Logs |
357 |
| WAN to DMZ Logs |
357 |
| Other Event Logs |
358 |
| Session Limit Logs |
358 |
| Source MAC Filter Logs |
358 |
| Bandwidth Limit Logs |
358 |
| DHCP Logs |
359 |
| Appendix D Two-Factor Authentication |
361 |
| Why Do I Need Two-Factor Authentication? |
361 |
| What Are the Benefits of Two-Factor Authentication? |
361 |
| What Is Two-Factor Authentication |
362 |
| NETGEAR Two-Factor Authentication Solutions |
362 |
| Appendix E Related Documents |
365 |
| Appendix F Notification of Compliance |
367 |
1
359
360
361
362
363
364
365
366
367
368
369
