Section |
Page |
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual |
1 |
Contents |
3 |
About This Manual |
11 |
Conventions, Formats, and Scope |
11 |
How to Print This Manual |
12 |
Revision History |
12 |
Chapter 1 Introduction |
13 |
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall? |
13 |
Key Features and Capabilities |
14 |
Quad-WAN Ports for Increased Reliability and Outbound Load Balancing |
15 |
Advanced VPN Support for Both IPsec and SSL |
15 |
A Powerful, True Firewall with Content Filtering |
16 |
Security Features |
16 |
Autosensing Ethernet Connections with Auto Uplink |
17 |
Extensive Protocol Support |
17 |
Easy Installation and Management |
18 |
Maintenance and Support |
18 |
Package Contents |
19 |
Hardware Features |
19 |
Front Panel |
19 |
Rear Panel |
21 |
Bottom Panel with Product Label |
22 |
Choosing a Location for the SRX5308 |
23 |
Using the Rack-Mounting Kit |
23 |
Chapter 2 Connecting the VPN Firewall to the Internet |
25 |
Understanding the Internet and WAN Configuration Tasks |
25 |
Qualified Web Browsers |
26 |
Logging In to the VPN Firewall |
27 |
Understanding the Web Management Interface Menu Layout |
29 |
Configuring the Internet Connections |
31 |
Automatically Detecting and Connecting |
31 |
Setting the VPN Firewall’s MAC Address |
35 |
Manually Configuring the Internet Connection |
35 |
Configuring the WAN Mode |
40 |
Configuring Network Address Translation |
40 |
Configuring Classical Routing |
41 |
Configuring the Auto-Rollover Mode and Failure Detection Method |
42 |
Configuring Auto-Rollover Mode |
42 |
Configuring the Failure Detection Method |
44 |
Configuring Load Balancing and Optional Protocol Binding |
45 |
Configuring Load Balancing |
46 |
Configuring Protocol Binding (Optional) |
47 |
Configuring Secondary WAN Addresses |
49 |
Configuring Dynamic DNS |
51 |
Configuring Advanced WAN Options |
55 |
Additional WAN-Related Configuration Tasks |
58 |
What to Do Next |
59 |
Chapter 3 LAN Configuration |
61 |
Managing Virtual LANs and DHCP Options |
61 |
Understanding the VPN Firewall’s Port-Based VLANs |
62 |
Assigning and Managing VLAN Profiles |
63 |
VLAN DHCP Options |
64 |
DHCP Server |
64 |
DHCP Relay |
65 |
DNS Proxy |
65 |
LDAP Server |
66 |
Configuring a VLAN Profile |
66 |
Configuring VLAN MAC Addresses and LAN Advanced Settings |
71 |
Configuring Multi-Home LAN IP Addresses on the Default VLAN |
72 |
Managing Groups and Hosts (LAN Groups) |
74 |
Managing the Network Database |
75 |
Adding PCs or Devices to the Network Database |
77 |
Editing PCs or Devices in the Network Database |
78 |
Changing Group Names in the Network Database |
78 |
Setting Up Address Reservation |
79 |
Configuring and Enabling the DMZ Port |
80 |
Managing Routing |
84 |
Configuring Static Routes |
85 |
Configuring Routing Information Protocol |
87 |
Static Route Example |
89 |
Chapter 4 Firewall Protection |
91 |
About Firewall Protection |
91 |
Administrator Tips |
92 |
Using Rules to Block or Allow Specific Kinds of Traffic |
92 |
Services-Based Rules |
93 |
Outbound Rules (Service Blocking) |
94 |
Inbound Rules (Port Forwarding) |
96 |
Order of Precedence for Rules |
100 |
Setting LAN WAN Rules |
101 |
LAN WAN Outbound Services Rules |
102 |
LAN WAN Inbound Services Rules |
103 |
Setting DMZ WAN Rules |
104 |
DMZ WAN Outbound Services Rules |
106 |
DMZ WAN Inbound Services Rules |
107 |
Setting LAN DMZ Rules |
108 |
LAN DMZ Outbound Services Rules |
109 |
LAN DMZ Inbound Services Rules |
110 |
Inbound Rules Examples |
111 |
LAN WAN Inbound Rule: Hosting a Local Public Web Server |
111 |
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses |
111 |
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping |
112 |
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host |
114 |
Outbound Rules Example |
115 |
LAN WAN Outbound Rule: Blocking Instant Messenger |
115 |
Configuring Other Firewall Features |
116 |
Attack Checks |
116 |
Setting Session Limits |
119 |
Managing the Application Level Gateway for SIP Sessions |
120 |
Creating Services, QoS Profiles, and Bandwidth Profiles |
121 |
Adding Customized Services |
121 |
Creating Quality of Service (QoS) Profiles |
124 |
Creating Bandwidth Profiles |
127 |
Setting a Schedule to Block or Allow Specific Traffic |
130 |
Content Filtering (Blocking Internet Sites) |
131 |
Understanding the VPN Firewall’s Content Filtering |
131 |
Enabling and Configuring Content Filtering |
132 |
Enabling Source MAC Filtering |
134 |
Setting Up IP/MAC Bindings |
136 |
Configuring Port Triggering |
138 |
Configuring Universal Plug and Play |
141 |
Chapter 5 Virtual Private Networking Using IPsec Connections |
143 |
Considerations for Multi-WAN Port Systems |
143 |
Using the IPsec VPN Wizard for Client and Gateway Configurations |
145 |
Creating Gateway-to-Gateway VPN Tunnels with the Wizard |
145 |
Creating a Client to Gateway VPN Tunnel |
150 |
Using the VPN Wizard Configure the Gateway for a Client Tunnel |
150 |
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection |
153 |
Testing the Connections and Viewing Status Information |
158 |
Testing the VPN Connection |
158 |
NETGEAR VPN Client Status and Log Information |
159 |
Viewing the VPN Firewall IPsec VPN Connection Status |
161 |
Viewing the VPN Firewall IPSec VPN Logs |
162 |
Managing IPsec VPN Policies |
162 |
Configuring IKE Policies |
163 |
IKE Policies Screen |
164 |
Manually Adding or Editing an IKE Policy |
165 |
Configuring VPN Policies |
171 |
VPN Policies Screen |
171 |
Manually Adding or Editing a VPN Policy |
173 |
Configuring Extended Authentication (XAUTH) |
179 |
Configuring XAUTH for VPN Clients |
180 |
User Database Configuration |
181 |
RADIUS Client Configuration |
181 |
Assigning IP Addresses to Remote Users (Mode Config) |
184 |
Mode Config Operation |
184 |
Configuring Mode Config Operation on the VPN Firewall |
184 |
Configuring the ProSafe VPN Client for Mode Config Operation |
192 |
Testing the Mode Config Connection |
197 |
Configuring Keepalives and Dead Peer Detection |
197 |
Configuring Keepalives |
198 |
Configuring Dead Peer Detection |
199 |
Configuring NetBIOS Bridging with IPsec VPN |
201 |
Chapter 6 Virtual Private Networking Using SSL Connections |
203 |
Understanding the SSL VPN Portal Options |
203 |
Planning for an SSL VPN |
204 |
Creating the Portal Layout |
206 |
Configuring Domains, Groups, and Users |
209 |
Configuring Applications for Port Forwarding |
210 |
Adding Servers and Port Numbers |
210 |
Adding a New Host Name |
212 |
Configuring the SSL VPN Client |
212 |
Configuring the Client IP Address Range |
213 |
Adding Routes for VPN Tunnel Clients |
215 |
Using Network Resource Objects to Simplify Policies |
216 |
Adding New Network Resources |
216 |
Editing Network Resources to Specify Addresses |
217 |
Configuring User, Group, and Global Policies |
219 |
Viewing Policies |
220 |
Adding a Policy |
221 |
Accessing the SSL Portal Login Screen |
225 |
Viewing the SSL VPN Connection Status and SSL VPN Logs |
227 |
Chapter 7 Managing Users, Authentication, and Certificates |
229 |
Configuring VPN Authentication Domains, Groups, and Users |
229 |
Configuring Domains |
230 |
Configuring Groups for VPN Policies |
234 |
Creating and Deleting Groups |
234 |
Editing Groups |
236 |
Configuring User Accounts |
237 |
Setting User Login Policies |
239 |
Configuring Login Policies |
239 |
Configuring Login Restrictions Based on IP Address |
240 |
Configuring Login Restrictions Based on Web Browser |
242 |
Changing Passwords and Other User Settings |
243 |
Managing Digital Certificates |
245 |
Understanding the Certificates Screen |
246 |
Managing CA Certificates |
247 |
Managing Self Certificates |
248 |
Generating a CSR and Obtaining a Self Certificate from a CA |
249 |
Viewing and Managing Self Certificates |
252 |
Managing the Certificate Revocation List |
252 |
Chapter 8 Network and System Management |
255 |
Performance Management |
255 |
Bandwidth Capacity |
255 |
Features That Reduce Traffic |
256 |
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) |
256 |
Content Filtering |
258 |
Source MAC Filtering |
258 |
Features That Increase Traffic |
258 |
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) |
258 |
Port Triggering |
260 |
Configuring the DMZ Port |
260 |
For information about how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 3-20. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 4-14. |
261 |
Configuring Exposed Hosts |
261 |
Configuring VPN Tunnels |
261 |
Using QoS and Bandwidth Assignment to Shift the Traffic Mix |
261 |
Assigning QoS Profiles |
261 |
Monitoring Tools for Traffic Management |
262 |
System Management |
262 |
Changing Passwords and Administrator Settings |
262 |
Configuring Remote Management Access |
264 |
Using the Command-Line Interface |
268 |
Using a Simple Network Management Protocol Manager |
268 |
Managing the SNMP Configuration |
268 |
Managing the VPN Firewall’s SNMP System Information |
270 |
Managing the Configuration File |
271 |
Backing Up Settings |
272 |
Restoring Settings |
272 |
Reverting to Factory Default Settings |
273 |
Upgrading the Firmware and Rebooting the VPN Firewall |
273 |
Configuring Date and Time Service |
275 |
Chapter 9 Monitoring System Access and Performance |
277 |
Enabling the WAN Traffic Meter |
277 |
Activating Notification of Events, Alerts, and Syslogs |
281 |
Viewing Status and Log Screens |
285 |
Viewing the System (Router) Status and Statistics |
286 |
Viewing the Router Status Screen |
286 |
Viewing the Detailed Status Screen |
287 |
Viewing the Router Statistics Screen |
291 |
Viewing the VLAN Status |
292 |
Viewing and Disconnecting Active Users |
293 |
Viewing the VPN Tunnel Connection Status |
294 |
Viewing the VPN Logs |
295 |
Viewing the Port Triggering Status |
297 |
Viewing the WAN Port Connection Status |
297 |
Viewing the Attached Devices and DHCP Log |
299 |
Viewing Attached Devices |
299 |
Viewing the DHCP Log |
300 |
Using the Diagnostics Utilities |
301 |
Sending a Ping Packet or Tracing a Route |
302 |
Looking Up a DNS Address |
303 |
Displaying the Routing Table |
304 |
Rebooting the VPN Firewall |
304 |
Capturing Packets |
304 |
Chapter 10 Troubleshooting and Using Online Support |
307 |
Basic Functioning |
308 |
Power LED Not On |
308 |
Test LED Never Turns Off |
308 |
LAN or WAN Port LEDs Not On |
309 |
Troubleshooting the Web Management Interface |
309 |
When You Enter a URL or IP Address a Time-Out Error Occurs |
310 |
Troubleshooting the ISP Connection |
311 |
Troubleshooting a TCP/IP Network Using the Ping Utility |
312 |
Testing the LAN Path to Your VPN Firewall |
313 |
Testing the Path from Your PC to a Remote Device |
313 |
Restoring the Default Configuration and Password |
314 |
Problems with Date and Time |
316 |
Accessing the Knowledge Base and Documentation |
316 |
Appendix A Default Settings and Technical Specifications |
317 |
Appendix B Network Planning for Multiple WAN Ports |
321 |
What to Consider Before You Begin |
321 |
Cabling and Computer Hardware Requirements |
323 |
Computer Network Configuration Requirements |
323 |
Internet Configuration Requirements |
323 |
Where Do I Get the Internet Configuration Information? |
324 |
Internet Connection Information |
324 |
Overview of the Planning Process |
325 |
Inbound Traffic |
327 |
Inbound Traffic to a Single WAN Port System |
327 |
Inbound Traffic to a Dual WAN Port System |
328 |
Inbound Traffic: Dual WAN Ports for Improved Reliability |
328 |
Inbound Traffic: Dual WAN Ports for Load Balancing |
328 |
Virtual Private Networks |
329 |
VPN Road Warrior (Client-to-Gateway) |
331 |
VPN Road Warrior: Single Gateway WAN Port (Reference Case) |
331 |
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability |
331 |
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing |
333 |
VPN Gateway-to-Gateway |
333 |
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) |
333 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability |
334 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing |
335 |
VPN Telecommuter (Client-to-Gateway through a NAT Router) |
336 |
VPN Telecommuter: Single Gateway WAN Port (Reference Case) |
336 |
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability |
337 |
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing |
338 |
Appendix C System Logs and Error Messages |
339 |
System Log Messages |
340 |
NTP |
340 |
Login/Logout |
341 |
System Startup |
341 |
Reboot |
341 |
Firewall Restart |
342 |
IPsec Restart |
342 |
Unicast, Multicast, and Broadcast Logs |
342 |
ICMP Redirect Logs |
342 |
Multicast/Broadcast Logs |
343 |
WAN Status |
343 |
Load Balancing |
343 |
Auto-Rollover |
344 |
PPP Logs |
345 |
Resolved DNS Names |
347 |
VPN Log Messages |
347 |
IPsec VPN Logs |
347 |
SSL VPN Logs |
354 |
Traffic Meter Logs |
355 |
Routing Logs |
356 |
LAN to WAN Logs |
356 |
LAN to DMZ Logs |
356 |
DMZ to WAN Logs |
356 |
WAN to LAN Logs |
357 |
DMZ to LAN Logs |
357 |
WAN to DMZ Logs |
357 |
Other Event Logs |
358 |
Session Limit Logs |
358 |
Source MAC Filter Logs |
358 |
Bandwidth Limit Logs |
358 |
DHCP Logs |
359 |
Appendix D Two-Factor Authentication |
361 |
Why Do I Need Two-Factor Authentication? |
361 |
What Are the Benefits of Two-Factor Authentication? |
361 |
What Is Two-Factor Authentication |
362 |
NETGEAR Two-Factor Authentication Solutions |
362 |
Appendix E Related Documents |
365 |
Appendix F Notification of Compliance |
367 |