Netgear UTM25EW-100NAS Reference Manual 3.0.1-124
Netgear UTM25EW-100NAS Manual
 |
View all Netgear UTM25EW-100NAS manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear UTM25EW-100NAS manual content summary:
- Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 1
ProSecure Unified Threat Management (UTM) Appliance Reference Manual 350 East Plumeria Drive San Jose, CA 95134 USA October 2012 202-10780-03 v1.0 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 2
http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR. Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx. NETGEAR recommends that you use only the official NETGEAR support resources. Trademarks NETGEAR, the NETGEAR logo - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 3
the main navigation menus and configuration menus for many figures in the manual to show consistency in the presentation of the web management interface ( Kinds of Traffic) • Added support of the following features for all UTM models (these features were previously supported on the UTM9S only): - - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 4
support the same web management interface menu layout that was already supported on the UTM50. The major changes for the UTM5, UTM10, and UTM25 are documented in Chapter 3, Manually sections: - Electronic Licensing - VLAN Rules - Create Service Groups - Create IP Groups - Manage SSL Certificates for - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 5
19 Security Features 20 Autosensing Ethernet Connections with Auto Uplink 20 Extensive Protocol Support 21 Easy Installation and Management 21 Maintenance and Support 22 Model Comparison 22 Service Registration Card with License Keys 23 Package Contents 24 Hardware Features 24 Front - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 6
10: System Date and Time 54 Setup Wizard Step 4 of 10: Services 55 Setup Wizard Step 5 of 10: Email Security 57 Setup Wizard the Configuration 64 Register the UTM with NETGEAR 65 Use the Web Management Interface to Activate Internet Connections 71 Manually Configure the Internet Connection - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 7
Protection About Firewall Protection 127 Administrator Tips 128 Overview of Rules to Block or Allow Specific Kinds of Traffic 128 Outbound Rules (Service Blocking 129 Inbound Rules (Port Forwarding 133 Order of Precedence for Rules 138 Configure LAN WAN Rules 139 Create LAN WAN Outbound - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 8
199 Protect Against Email Spam 202 Configure Web and Services Protection 210 Customize Web Protocol Scan Settings 210 Configure Connection and Status Information . . . . . 287 Test the NETGEAR VPN Client Connection 287 NETGEAR VPN Client Status and Log Information 289 View the UTM IPSec VPN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 9
the New SSL VPN Portal 353 View the UTM SSL VPN Connection Status 356 View the UTM SSL VPN Log 357 Manually Configure and Modify SSL Portals 357 Manually Create or Modify the Portal Layout 359 Configure Domains, Groups, and Users 362 Configure Applications for Port Forwarding 363 Configure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 10
Manage the Configuration File 445 Update the Firmware 448 Update the Scan Signatures and Scan Engine Firmware 454 Configure Date and Time Service 456 Connect to a ReadyNAS and Configure Quarantine Settings 458 Log Storage 459 Connect to a ReadyNAS 459 Configure the Quarantine Settings 460 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 11
the Path from Your Computer to a Remote Device 544 Restore the Default Configuration and Password 545 Problems with Date and Time 546 Use Online Support 546 Enable Remote Troubleshooting 546 Send Suspicious Files to NETGEAR for Analysis 547 Access the Knowledge Base and Documentation 548 11 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 12
602 For More Information About Wireless Configurations 602 Appendix C 3G/4G Dongles for the UTM9S and UTM25S 3G/4G Dongle Configuration Tasks 603 Manually Configure the USB Internet Connection 604 Configure the 3G/4G Settings 608 Configure the WAN Mode 610 Overview of the WAN Modes 611 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 13
. . . . . 635 Appendix E ReadyNAS Integration Supported ReadyNAS Models 638 Install the UTM Add-On on the What Is Two-Factor Authentication 645 NETGEAR Two-Factor Authentication Solutions 645 Appendix Logs 655 Invalid Packet Logging 656 Service Logs 658 Content-Filtering and Security - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 14
ProSecure Unified Threat Management (UTM) Appliance Email Filter Logs 661 IPS Logs 662 Anomaly Behavior Logs 662 Application Logs 663 Routing Logs 663 LAN-to-WAN Logs 663 LAN-to-DMZ Logs 664 DMZ-to-WAN Logs 664 WAN-to-LAN Logs 664 DMZ-to-LAN Logs 665 WAN-to-DMZ Logs 665 Appendix H Default - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 15
Key Features and Capabilities • Service Registration Card with License Keys • Package Contents • Hardware Features • Choose a Location for the UTM Note: For more information about the topics covered in this manual, visit the Support website at http://support.netgear.com. Note: Firmware updates with - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 16
with a content scan engine that uses NETGEAR Stream Scanning technology to protect your network from denial of service (DoS) attacks or distributed DoS ( or Outbound Load Balancing • Wireless Features • DSL Features • Advanced VPN Support for Both IPSec and SSL • A Powerful, True Firewall • Stream - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 17
users, and enhance productivity. • Easy, web-based wizard setup for installation and management. • SNMP manageable with support for SNMPv1, SNMPv2, and SNMPv3. • Support for the NETGEAR Network Management System NMS200. • Front panel LEDs for easy monitoring of status and activity. • Flash memory - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 18
support with 802.11a/n wireless modes. • Wireless security profiles. Support for up to four wireless security profiles, each with its own SSID. • WMM QoS priority. Wi-Fi Multimedia (WMM) Quality of Service DSL is supported on the UTM9S and VPN with broad protocol support for secure connection to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 19
transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories. - Allows browser-based capabilities: • DoS protection. Automatically detects and thwarts (distributed) denial of service (DoS) attacks such as Ping of Death and SYN flood. • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 20
individual users, or a combination of both. The UTM supports multiple applications. • Automatic signature updates. Malware signatures are unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 21
Service (QoS). The UTM supports QoS, including traffic prioritization and traffic classification with Type of Service (ToS) and Differentiated Services VPN routers and clients. • SSL VPN Wizard. The UTM includes the NETGEAR SSL VPN Wizard so you can easily configure SSL connections over VPN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 22
IP address or range of addresses. • Visual monitoring. The UTM's front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the UTM: • Flash memory for firmware upgrades. • Technical - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 23
Wireless network module 3G/4G USB dongle Deployment VLAN support Dual WAN auto-rollover mode Dual WAN load balancing mode Single WAN mode Service Registration Card with License Keys Be sure to store the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 24
Guide • resource CD, including: - Application Notes and other helpful information - ProSafe VPN Client software (VPN01L) (depends on the UTM model) • Service Registration Card with license keys If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 25
ProSecure Unified Threat Management (UTM) Appliance • Rear Panel UTM50 and UTM150 • Rear Panel UTM9S and UTM25S • Bottom Panels with Product Labels The front panels contain ports and LEDs; the rear panels contain ports, connectors, and other components; and the bottom panels contain product labels. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 26
ProSecure Unified Threat Management (UTM) Appliance Front Panel UTM25 Viewed from left to right, the UTM25 front panel contains the following ports: • One nonfunctioning USB port. This port is included for future management enhancements. The port is currently not operable on the UTM. • LAN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 27
ProSecure Unified Threat Management (UTM) Appliance Power LED Left LAN LEDs Left WAN LEDs USB port DMZ LED Test LED Right LAN LEDs Figure 4. Front panel UTM50 Right WAN LEDs Active WAN LEDs Front Panel UTM150 Viewed from left to right, the UTM150 front panel contains the following ports: - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 28
ProSecure Unified Threat Management (UTM) Appliance Front Panel UTM9S and UTM25S and Network Modules Viewed from left to right, the UTM9S and UTM25S front panel contains the following ports and slots: • One USB port that can accept a 3G/4G dongle for wireless connectivity to an ISP. The port is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 29
ProSecure Unified Threat Management (UTM) Appliance xDSL Network Modules The following xDSL network modules are available for insertion in one of the UTM9S or UTM25S slots: • NMSDSLA. VDSL/ADSL2+ network module, Annex A. • NMSDSLB. VDSL/ADSL2+ network module, Annex B. Note: In previous releases for - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 30
ProSecure Unified Threat Management (UTM) Appliance Figure 8. Wireless network module LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 The following table describes the function of each LED. Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 LED Activity Description Power - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 31
ProSecure Unified Threat Management (UTM) Appliance Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 (continued) LED Activity LAN ports Left LED Off On (green) Blinking (green) Right LED Off On (amber) On (green) DMZ LED Off On (green) WAN ports Left LED Off On (green) - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 32
ProSecure Unified Threat Management (UTM) Appliance LED Descriptions, UTM9S, UTM25S, and their Network Modules The following table describes the function of each LED on the UTM9S and UTM25S and their network modules. Table 3. LED descriptions UTM9S and UTM25S LED Activity Description Power LED - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 33
ProSecure Unified Threat Management (UTM) Appliance Table 3. LED descriptions UTM9S and UTM25S (continued) LED Activity Right LED Off On (amber) On (green) Active LED Off On (green) Wireless network module Module Off Status LED On (green) Wireless Link LED Off On (green) Blinking ( - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 34
ProSecure Unified Threat Management (UTM) Appliance Viewed from left to right, the rear panel of the UTM5, UTM10, and UTM25 contains the following components: 1. Cable security lock receptacle. 2. Console port. Port for connecting to an optional console terminal. The port has a DB9 male connector. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 35
ProSecure Unified Threat Management (UTM) Appliance Rear Panel UTM9S and UTM25S The rear panel of the UTM9S and UTM25S includes the cable lock receptacle, the console port and console switch, the Factory Defaults reset button, the AC power connection, and the power switch. Security lock - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 36
ProSecure Unified Threat Management (UTM) Appliance Bottom Panels with Product Labels The product label on the bottom of the UTM's enclosure displays factory defaults settings, regulatory compliance, and other information. The following figure shows the product label for the UTM5: Figure 12. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 37
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM25: Figure 14. The following figure shows the product label for the UTM50: Figure 15. Introduction 37 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 38
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM150: Figure 16. The following figure shows the product label for the UTM9S: Figure 17. Introduction 38 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 39
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM25S: Figure 18. Choose a Location for the UTM The UTM is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 40
ProSecure Unified Threat Management (UTM) Appliance Use the Rack-Mounting Kit Use the mounting kit for the UTM to install the appliance in a rack. (A mounting kit is provided in the package for the multiple WAN port models.) Attach the mounting brackets using the hardware that is supplied with the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 41
restart your network according to the instructions in the Installation Guide. See the ProSecure Unified Threat Management UTM Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at http://www.prosecure.netgear.com/resources/document-library.php. 2. Log - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 42
Register the UTM. See Register the UTM with NETGEAR on page 65. Each of these tasks is described WAN options is described in Chapter 3, Manually Configure Internet and WAN Settings. The interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 43
ProSecure Unified Threat Management (UTM) Appliance Figure 20. 3. In the User Name field, type admin. Use lowercase letters. 4. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The UTM user name and password are not the same as any user name or password you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 44
ProSecure Unified Threat Management (UTM) Appliance Figure 21. Web Management Interface Menu Layout The following figure shows the menu at the top the UTM50 web management interface as an example. Use the Setup Wizard to Provision the UTM in Your Network 44 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 45
ProSecure Unified Threat Management (UTM) Appliance 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange) Figure 22. Option arrow: Additional screen for submenu item The web management interface menu consists of the following - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 46
ProSecure Unified Threat Management (UTM) Appliance • Back. Go to the previous screen (for wizards). • Search. Perform a search operation. • Cancel. Cancel the operation. • Send Now. Send a file or report. When a screen includes a table, table buttons display to let you configure the table entries. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 47
Step 3 of 10: System Date and Time • Setup Wizard Step 4 of 10: Services • Setup Wizard Step 5 of 10: Email Security • Setup Wizard Step 6 of 10 Manually Configure Internet and WAN Settings. To start the Setup Wizard: 1. Select Wizards from the main navigation menu. The Welcome to the Netgear - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 48
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 1 of 10: LAN Settings Figure 26. Enter the settings as explained in the following table, and then click Next to go the following screen. Note: In this first step, you are configuring the LAN settings for the UTM's default VLAN. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 49
device on your network is the DHCP server for the default VLAN, or if you will configure the network settings of all of your computers manually, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 50
• OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net The port number for the LDAP server. The default setting is 0 (zero). Enable DNS Proxy - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 51
ProSecure Unified Threat Management (UTM) Appliance Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued) Setting Description Inter VLAN Routing Enable Inter VLAN Routing This setting is optional. To ensure that traffic is routed only to VLANs for which inter-VLAN routing is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 52
then click Next to go the following screen. Note: Instead of manually entering the settings, you can also click the Auto Detect action button of connection methods and suggests one that your ISP is most likely to support. Table 5. Setup Wizard Step 2: WAN Settings screen settings Setting ISP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 53
ProSecure Unified Threat Management (UTM) Appliance Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued) Setting Description Austria (PPTP) (continued) Other (PPPoE) My IP Address The IP address assigned by the ISP to make the connection with the ISP server. Server IP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 54
button in the Action column of the WAN interface for which you want to change the settings. For more information about these WAN settings, see Manually Configure the Internet Connection on page 75. Setup Wizard Step 3 of 10: System Date and Time Figure 28. Use the Setup Wizard to Provision the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 55
, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome. Server settings, see Configure Date and Time Service on page 456. Setup Wizard Step 4 of 10: Services Figure 29. Use the Setup Wizard to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 56
Ports to Scan field. HTTPS scanning is disabled by default. To enable HTTPS scanning, select the corresponding check box. You can change the standard service port (443) or add another port in the corresponding Ports to Scan field. FTP scanning is enabled by default To disable FTP scanning, clear - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 57
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 5 of 10: Email Security Figure 30. Enter the settings as explained in the following table, and then click Next to go the following screen. Table 8. Setup Wizard Step 5: Email Security screen settings Setting Action SMTP POP3 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 58
ProSecure Unified Threat Management (UTM) Appliance Table 8. Setup Wizard Step 5: Email Security screen settings (continued) Setting Description IMAP From the IMAP drop-down list, select one of the following actions to be taken when an infected email is detected: • Delete attachment. This is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 59
ProSecure Unified Threat Management (UTM) Appliance Table 9. Setup Wizard Step 6: Web Security screen settings Setting Description Action HTTP From the HTTP drop-down list, select one of the following actions to be taken when an infected web file or object is detected: • Delete file. This is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 60
ProSecure Unified Threat Management (UTM) Appliance Scan screen also lets you specify HTML scanning and notification settings. For more information about these settings, see Configure Web Malware or Antivirus Scans on page 216. Setup Wizard Step 7 of 10: Web Categories to Be Blocked Figure 32. Use - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 61
ProSecure Unified Threat Management (UTM) Appliance Enter the settings as explained in the following table, and then click Next to go the following screen. Table 10. Setup Wizard Step 7: Web Categories to be blocked screen settings Setting Description Blocked Web Categories Select the Enable - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 62
Administrator Email Notification Settings Show as mail sender A descriptive name of the sender for email identification purposes. For example, enter [email protected]. SMTP server The IP address and port number or Internet name and port number of your ISP's outgoing email SMTP server - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 63
this table). Set the update source server by selecting one of the following radio buttons: • Default update server. Files are updated from the default NETGEAR update server. • Server address. Files are updated from the server that you specify. Enter the IP address or host name of the update server - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 64
ProSecure Unified Threat Management (UTM) Appliance Table 12. Setup Wizard Step 9: Signatures & Engine screen settings (continued) Setting Description Update Frequency Specify the frequency with which the UTM checks for file updates: • Weekly. From the drop-down lists, select the weekday, hour, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 65
need to register your UTM with NETGEAR. The UTM comes with four 30-day trial licenses: • Web protection • Email protection • Support and maintenance • Application control and IPS The service license keys are provided with the product package (see Service Registration Card with License Keys on page - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 66
have used the 30-day trial licenses, these trial licenses are revoked once you activate the purchased service license keys. The purchased service license keys offer 1 year or 3 years of service. 4. Click Register. The UTM activates the license and registers the unit with the registration and update - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 67
have purchased the UTM with a 1- or 3-year license, you can use the electronic licensing option to connect to the Internet and to the NETGEAR registration server, the UTM can retrieve and and restore all registration information: 1. Select Support > Registration. The Registration screen displays (see - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 68
before deploying it in a live production environment. The following instructions walk you through a couple of quick tests that are is enabled. HTTP scanning is enabled by default (see Setup Wizard Step 4 of 10: Services on page 55). 2. Take note of the web security settings for HTTP (see Setup - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 69
ProSecure Unified Threat Management (UTM) Appliance The UTM is ready for use. However, the following sections describe important tasks that you might want to address before you deploy the UTM in your network: • Configure the WAN Mode (required if you want to use multiple WAN ports) • Configure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 70
3 This chapter contains the following sections: • Internet and WAN Configuration Tasks • Automatically Detecting and Connecting the Internet Connections • Manually Configure the Internet Connection • Configure the WAN Mode • Configure Secondary WAN Addresses • Configure Dynamic DNS • Set the UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 71
to your ISPs. During this phase, you connect to your ISPs. See Automatically Detecting and Connecting the Internet Connections on page 71 or Manually Configure the Internet Connection on page 75. 2. Configure the WAN mode (required for multiple WAN port models). For all models, select either NAT - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 72
to the Internet automatically. The WAN ISP Settings screen displays. The following figure shows the WAN1 ISP Settings screen of the UTM50 as an example: Manually Configure Internet and WAN Settings 72 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 73
of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the the top of the screen displays the results (for example, DHCP service detected). • If the autodetect process senses a connection method that requires - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 74
UTM) Appliance Table 13. Internet connection methods Connection method Manual data input required DHCP (Dynamic IP) No data is see Set the UTM's MAC Address and Configure Advanced WAN Options on page 94 and Troubleshoot the ISP Connection on page 541. 4. Click Apply to save your changes. 5. Click - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 75
in Set the UTM's MAC Address and Configure Advanced WAN Options on page 94. For information about troubleshooting, see Troubleshoot the ISP Connection on page 541. Manually Configure the Internet Connection Unless your ISP automatically assigns your configuration through DHCP, you need to obtain - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 76
The IP address assigned by the ISP to make the connection with the ISP server. Server IP Address The IP address of the PPTP server. Manually Configure Internet and WAN Settings 76 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 77
the IP address settings as explained in the following table. Click the Current IP Address link to see the currently assigned IP address. Figure 42. Manually Configure Internet and WAN Settings 77 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 78
cause connectivity issues. Primary DNS Server The IP address of the primary DNS server. Secondary DNS Server The IP address of the secondary DNS server. Manually Configure Internet and WAN Settings 78 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 79
USB Port Status on page 504. What to do next: • If the manual ISP configuration is successful: You are connected to the Internet through the WAN interfaces, continue with Configure the WAN Mode on page 80. • If the manual ISP configuration fails: You might need to change the MAC address as described - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 80
. Depending on the UTM model, you can configure up to four WAN interfaces. The UTM supports weighted load balancing and round-robin load balancing (see Configure Load Balancing and Optional Protocol Binding link. If the UTM model has more than two Manually Configure Internet and WAN Settings 80 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 81
and that you configure the WAN failure detection method on the WAN Advanced Options screen to support auto-rollover (see Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port is configured using an inbound firewall rule. Manually Configure Internet and WAN Settings 81 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 82
WAN interface that should function as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover. Manually Configure Internet and WAN Settings 82 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 83
. c. Select the Auto Rollover check box. d. From the corresponding drop-down list on the right, select a WAN interface to function as the backup WAN interface. Manually Configure Internet and WAN Settings 83 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 84
DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure the Internet Connection on page 75). Custom DNS DNS queries are sent to the specified DNS server. DNS Server The IP address of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 85
low-volume traffic can be routed through the WAN port connected to the low-speed link. • Continuity of source IP address for secure connections. Some services, particularly HTTPS, cease to respond when a client's source IP address changes shortly after a session has been established - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 86
, then a new FTP session could start on the WAN2 interface, and then any new connection to the Internet could be made on the WAN3 interface. Manually Configure Internet and WAN Settings 86 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 87
circle. The protocol binding rule is disabled. • Service. The service or protocol for which the protocol binding rule is Local Gateway. The WAN interface to which the service or protocol is bound. • Source Network. The for the corresponding service. 2. Click the Add table button below - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 88
Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the for the range to which the rule is applied. Manually Configure Internet and WAN Settings 88 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 89
of the following outbound firewall rule screens: - Add LAN WAN Outbound Service screen - Add DMZ WAN Outbound Service screen For more information about firewall rules, see Overview of Rules to Block or Allow Specific Kinds of Traffic on page 128). Manually Configure Internet and WAN Settings 89 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 90
Address. Enter the secondary address that you want to assign to the WAN interface. • Subnet Mask. Enter the subnet mask for the secondary IP address. Manually Configure Internet and WAN Settings 90 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 91
Delete table button. Configure Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IP addresses to be located using Internet DDNS service does not work because private addresses are not routed on the Internet. Manually Configure Internet and WAN Settings 91 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 92
options that match the configured WAN mode are accessible onscreen. 2. Click the submenu tab for your DDNS service provider: • Dynamic DNS for DynDNS.org (which is shown in the following figure) • DNS TZO of a DNS screen for registration information. Manually Configure Internet and WAN Settings 92 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 93
not often change, you might need to force a periodic update to the DDNS service to prevent your account from expiring. If the Update every 30 days check different DDNS services for different WAN interfaces. 6. Click Apply to save your configuration. Manually Configure Internet and WAN Settings 93 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 94
Options screen displays for the WAN interface that you selected. (The following figure shows the WAN1 Advanced Options screen of the UTM50 as an example.) Manually Configure Internet and WAN Settings 94 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 95
to reduce the MTU. This is rarely required, and should not be done unless you are sure that it is necessary for your ISP connection. Manually Configure Internet and WAN Settings 95 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 96
you cannot establish an Internet connection, you might need to select the port speed manually. If you know the Ethernet port speed of the modem or router, select this MAC Address Select the Use this MAC Address radio button, and manually enter the MAC address in the field next to the radio button. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 97
made, when you click Apply, the UTM restarts, or services such as HTTP and SMTP might restart. If you want • To register the UTM with NETGEAR, see Register the UTM with NETGEAR on page 65. • To test page 438). If you enable remote management, NETGEAR strongly recommend that you change your password ( - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 98
4. LAN Configuration 4 This chapter describes how to configure the advanced LAN features of your UTM. This chapter contains the following sections: • Manage Virtual LANs and DHCP Options • Configure Multihome LAN IP Addresses on the Default VLAN • Manage Groups and Hosts (LAN Groups) • Configure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 99
be crossed only through a router. So standard, router-based security measures can be used to restrict access to each VLAN. Port-Based VLANs The UTM supports port-based VLANs. Port-based VLANs help to confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 100
ports, and the default VLAN profile and another VLAN profile as examples. Note that the LAN Setup screen for the UTM50 (not shown in this manual) has six LAN ports in the Default VLAN section. LAN Configuration 100 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 101
) options (see Configure a VLAN Profile on page 103). The configuration of the DHCP options for the UTM's default VLAN, or VLAN 1, is explained in Chapter 3, Manually Configure Internet and WAN Settings. This section provides further information about the DHCP options. LAN Configuration 101 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 102
UTM a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 103
(LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, as examples. Note that the LAN Setup screen for the UTM50 (not shown in this manual) has six LAN ports in the Default VLAN section. Note: For information about how - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 104
for the UTM with four ports in the Port Membership section. Note that the Edit VLAN Profile screens for the UTM50 (not shown in this manual) has six ports in the Port Membership section. Figure 56. LAN Configuration 104 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 105
another device on your network is the DHCP server for the VLAN, or if you will configure the network settings of all of your computers manually, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 106
ProSecure Unified Threat Management (UTM) Appliance Table 21. Edit VLAN Profile screen settings (continued) Setting Enable DHCP Server DHCP Relay Description Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol (DHCP) server, providing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 107
OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero). DNS Proxy - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 108
ProSecure Unified Threat Management (UTM) Appliance Note: When you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change these default traffic rules, see Chapter 5, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 109
ProSecure Unified Threat Management (UTM) Appliance Figure 57. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 110
Available Secondary LAN IPs table. Note: Secondary IP addresses cannot be configured in the DHCP server. The hosts on the secondary subnets need to be manually configured with the IP addresses, gateway IP address, and DNS server IP addresses. LAN Configuration 110 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 111
a reply to an ARP request, it might not be able to determine the device name if the software firewall of the device blocks the name. • Manual entry. You can manually enter information about a network device. LAN Configuration 111 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 112
each computer, users cannot avoid these restrictions by changing their IP address. Manage the Network Database You can view the network database, manually add or remove database entries, and edit database entries. To view the network database, select Network Config > LAN Settings > LAN Groups. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 113
For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name). device is assigned a static IP address, you need to update this entry manually after the IP address on the computer or device has changed. • MAC - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 114
to bind the IP address to the MAC address for DHCP assignment. Modify Computers or Devices in the Network Database To modify computers or devices manually in the network database: 1. In the Known PCs and Devices table of the LAN Groups screen (see the previous figure), click the Edit table - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 115
ProSecure Unified Threat Management (UTM) Appliance Figure 60. 2. Modify the settings as explained in Table 22 on page 114. 3. Click Apply to save your settings in the Known PCs and Devices table. Delete Computers or Devices from the Network Database To delete one or more computers or devices from - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 116
ProSecure Unified Threat Management (UTM) Appliance Figure 61. 3. Select the radio button next to the group name that you want to edit. 4. Type a new name in the field. The maximum number of characters is 15; spaces and double quotes (") are not allowed. 5. Repeat Step 3 and Step 4 for any other - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 117
, or email server) and provide public access to them. The rightmost LAN port on the UTM can be dedicated as a hardware DMZ port to provide services to the Internet safely without compromising security on your LAN. On the UTM5, UTM10, UTM25, and UTM150, this is LAN port 4; on the UTM50, this - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 118
ProSecure Unified Threat Management (UTM) Appliance Figure 62. 2. Enter the settings as explained in the following table: Table 23. DMZ Setup screen settings Setting DMZ Port Setup Do you want to enable DMZ Port? Description Select one of the following radio buttons: • Yes. Enables you to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 119
another device on your network is the DHCP server for the VLAN, or if you will configure the network settings of all of your computers manually, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 120
OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero). DNS Proxy - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 121
screen (see Configure Multihome LAN IP Addresses on the Default VLAN on page 109). Therefore, you do not need to add a static route manually between a VLAN and a secondary IP address. Configure Static Routes To add a static route to the Static Route table: 1. Select Network Config > Routing. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 122
ProSecure Unified Threat Management (UTM) Appliance Figure 64. 3. Enter the settings as explained in the following table: Table 24. Add Static Route screen settings Setting Route Name Active Description The route name for the static route (for purposes of identification and management). To make - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 123
ProSecure Unified Threat Management (UTM) Appliance To edit a static route that is in the Static Routes table: 1. On the Routing screen (see Figure 63 on page 121), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays. This screen - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 124
ProSecure Unified Threat Management (UTM) Appliance Figure 65. 3. Enter the settings as explained in the following table: Table 25. RIP Configuration screen settings Setting RIP RIP Direction Description From the RIP Direction drop-down list, select the direction in which the UTM sends and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 125
not include subnet information. This is the most commonly supported version. • RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 126
ProSecure Unified Threat Management (UTM) Appliance Static Route Example In this example, we assume the following: • The UTM's primary Internet access is through a cable modem to an ISP. • The UTM is on a local LAN with IP address 192.168.1.100. • The UTM connects to a remote network where you need - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 127
LAN WAN Rules • Configure DMZ WAN Rules • Configure LAN DMZ Rules • Examples of Firewall Rules • Configure Other Firewall Features • Create Services, QoS Profiles, Bandwidth Profiles, and Traffic Meter Profiles • Set a Schedule to Block or Allow Specific Traffic • Enable Source MAC Filtering - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 128
using the following features and capabilities of the UTM: - Groups and hosts (see Manage Groups and Hosts (LAN Groups) on page 111) - Services (see Outbound Rules (Service Blocking) on page 129) - Schedules (see Set a Schedule to Block or Allow Specific Traffic on page 177) - Allow or block sites - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 129
number of Maximum number of Maximum number of outbound rules inbound rules supported rules 300 300 600 50 50 100 50 50 100 400 400 block traffic are based on the traffic's category of service: • Outbound rules (service blocking). Outbound traffic is usually allowed unless the firewall - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 130
are necessary for your network. The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 68 on page 141, Figure 71 on page 144, and Figure 74 on page 147). The steps to configure outbound rules are - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 131
ProSecure Unified Threat Management (UTM) Appliance Table 27. Outbound rules overview (continued) Setting LAN Users WAN Users DMZ Users Users Allowed Description Outbound Rules The settings that determine which computers on your network are affected by this rule. The options are: • Any. All - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 132
Table 27. Outbound rules overview (continued) Setting QoS Profile Description Outbound Rules The priority assigned to IP packets of this service. The priorities are defined by Type of Service (ToS) in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 133
(for example, a web server or game server) visible and available to the Internet. The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This process is also known as port forwarding. Whether or not DHCP is enabled - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 134
DoS attack does not attempt to steal data or damage your computers, but overloads your Internet connection so you cannot use it (that is, the service becomes unavailable). Note: When the Block TCP Flood and Block UDP Flood check boxes are selected on the Attack Checks screen (see Attack Checks, VPN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 135
LAN server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.) The DMZ server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.) - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 136
ProSecure Unified Threat Management (UTM) Appliance Table 28. Inbound rules overview (continued) Setting LAN Users WAN Users DMZ Users Users Allowed Description Inbound Rules The settings that determine which computers on your network are affected by this rule. The options are: • Any. All - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 137
Table 28. Inbound rules overview (continued) Setting Description Inbound Rules QoS Profile The priority assigned to IP packets of this service. The priorities are defined by Type of Service (ToS) in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 138
ProSecure Unified Threat Management (UTM) Appliance Table 28. Inbound rules overview (continued) Setting Description Inbound Rules Application Control Select an application control profile to allow, block, or log traffic for entire categories of applications, for individual applications, or - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 139
be applied to block specific types of traffic from going out from the LAN to the Internet (outbound). This feature is also referred to as service blocking. You can change the default policy of Allow Always to Block Always to block all outbound traffic, which then allows you to enable only - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 140
rules to your specific needs (see Administrator Tips on page 128). WARNING: This feature is for advanced administrators. Incorrect configuration might cause serious problems. To create an outbound LAN WAN service rule: 1. In the LAN WAN Rules screen, click the Add table button under the Outbound - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 141
in Table 27 on page 130. 3. Click Apply to save your changes. The new rule is now added to the Outbound Services table. Create LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 142
page 135. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Configure DMZ WAN Rules • Create DMZ WAN Outbound Service Rules • Create DMZ WAN Inbound Service Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 143
Rules. The DMZ WAN Rules screen displays. (The following figure shows some rules as an example.) Figure 70. To change an existing outbound or inbound service rule: In the Action column to the right of to the rule, click one of the following table buttons: • Edit. Allows you to make any - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 144
policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between the DMZ and any external - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 145
28 on page 135. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Configure LAN DMZ Rules • Create LAN DMZ Outbound Service Rules • Create LAN DMZ Inbound Service Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 146
ProSecure Unified Threat Management (UTM) Appliance To access the LAN DMZ Rules screen and to change an existing outbound or inbound service rule, select Network Security > Firewall > LAN DMZ Rules. The LAN DMZ Rules screen displays: Figure 73. In the Action column to the right of to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 147
policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between the DMZ and any internal - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 148
the settings as explained in Table 28 on page 135. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Examples of Firewall Rules • Inbound Rule Examples • Outbound Rule Example Inbound Rule Examples LAN WAN Inbound Rule: Host a Local Public Web Server If - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 149
ProSecure Unified Threat Management (UTM) Appliance Figure 76. LAN WAN Inbound Rule: Allow Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 150
to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures page 89.) The following addressing scheme is used to illustrate this procedure: • NETGEAR UTM: - WAN IP address. 10.1.0.118 - LAN IP address subnet. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 151
to be on your DMZ, click the DMZ WAN Rules submenu tab. 3. Click the Add table button under the Inbound Services table. The Add LAN WAN Inbound Service screen displays: Figure 78. 4. From the Service drop-down list, select HTTP for a web server. 5. From the Action drop-down list, select ALLOW Always - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 152
Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen. To test the connection from a computer up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the computers - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 153
ProSecure Unified Threat Management (UTM) Appliance WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 154
VLANs. To create a VLAN rule: 1. Select Network Security > Firewall > VLAN Rules. The VLAN Rules screen displays. (The following figure shows one rule in the VLAN Services table as an example.) Figure 81. 2. Under the VLAN Services table, click the Add table button. The Add VLAN-VLAN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 155
Figure 82. 3. Enter the settings as explained in the following table. Table 29. Add VLAN-VLAN Service screen settings Setting Description Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 156
settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified VLAN rule is displayed in the VLAN Services table. To delete or disable one or more VLAN rules: 1. Select the check box to the left of each VLAN rule that you want to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 157
enable the UTM to drop all invalid TCP packets and to protect the UTM from a SYN flood attack. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN (synchronize) requests to a target system. When the system responds, the attacker does not complete the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 158
(UDP) connections from a single device on the LAN. By default, the Block UDP flood check box is cleared. A UDP flood is a form of denial of service attack that can be initiated when one device sends many UDP packets to random ports on a remote host. As a result, the distant host does the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 159
ProSecure Unified Threat Management (UTM) Appliance Figure 84. 2. In the Multicast Pass through section of the screen, select the Yes radio button to enable multicast pass-through. (By default the Yes radio button is enabled.) When you enable multicast pass-through, an Internet Group Management - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 160
ProSecure Unified Threat Management (UTM) Appliance To delete one or more multicast source addresses: 1. In the Alternate Networks table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 161
sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients. ALG support for SIP is disabled by default. You can enable scanning of VPN traffic that passes through the UTM. VPN scanning increases - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 162
to an application and a port number. You can also narrow down the firewall rule to a group of services. For information about adding services and service groups, see Add Customized Services on page 163 and Create Service Groups on page 165. • IP groups. An IP group is a LAN group or a WAN group to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 163
priority of an IP packet for traffic that matches the firewall rule. For information about creating QoS profiles, see Create Quality of Service Profiles on page 169. • Bandwidth profiles. A bandwidth profile allocates and limits traffic bandwidth for the LAN users to which a firewall rule is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 164
Type drop-down list. The first TCP or UDP port of a range that the service uses. Note: This field is enabled only when you select TCP or UDP from . End Port The last TCP or UDP port of a range that the service uses. If the service uses only a single port number, enter the same number in the Start - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 165
in a single firewall rule. For example, if there are 10 web servers, each of which requires the same three port-forwarding rules, you can create a service group for the port-forwarding rules, an IP group for the web servers (see Create IP Groups on page 167), and then create only one - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 166
screen displays: Figure 90. 3. In the Name field, enter a name for the service. 4. Use the move buttons (>) to move services between the Available Services field and the List of Selected Services field to specify the services that you want to be part of the group. 5. Click Apply to save your - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 167
Users or WAN Users drop-down list on a screen on which you add or edit a firewall rule. To create an IP group: 1. Select Network Security > Services > IP Groups. The IP Groups screen displays. (The following figure shows two groups in the Custom IP Groups table as an example.) Figure 91. 2. In - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 168
steps to add more IP addresses to the IP Addresses Grouped table. 8. Click the Edit table button to return to IP Groups screen. To edit a service group: 1. In the Custom IP Groups table, click the Edit table button to the right of the IP group that you want to edit. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 169
pop-up screens from the Add or Edit Application Control Profile screen (see Figure 135 on page 243). Priorities are defined by the Type of Service (ToS) in the Internet Protocol Suite standards, RFC 1349. There are no default QoS profiles on the UTM. Following are examples of QoS profiles that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 170
A descriptive name of the QoS profile for identification and management purposes. Select the Re-Mark check box to set the differentiated services (DiffServ) mark in the Type of Service (ToS) byte of an IP header by specifying the QoS type (IP precedence or DHCP) and QoS value. If you clear - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 171
: • IP Precedence. A legacy method that sets the priority in the ToS byte of an IP header. • DSCP. A method that sets the Differentiated Services Code Point (DSCP) in the Differentiated Services (DS) field (which is the same as the ToS byte) of an IP header. The QoS value in the ToS or DiffServ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 172
or Edit Application Control Profile screen (see Figure 135 on page 243). To add and enable a bandwidth profile: 1. Select Network Security > Services > Bandwidth Profiles. The Bandwidth Profiles screen displays. (The following figure shows one user-defined profile in the List of Bandwidth Profiles - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 173
ProSecure Unified Threat Management (UTM) Appliance Figure 96. 3. Enter the settings as explained in the following table: Table 34. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 174
ProSecure Unified Threat Management (UTM) Appliance Table 34. Add Bandwidth Profile screen settings (continued) Setting Policy Type Type Description From the Policy Type drop-down list, select how the policy is applied when it is assigned to multiple firewall rules: • Per Policy. The policy - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 175
from the Add or Edit Application Control Profile screen (see Figure 135 on page 243). To add a traffic meter profile: 1. Select Network Security > Services > Traffic Meter. The Traffic Meter screen displays. (The following figure shows two profiles in the List of Traffic Meter Profiles table as an - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 176
ProSecure Unified Threat Management (UTM) Appliance Figure 98. 3. Enter the settings as explained in the following table: Table 35. Add Traffic Meter Profile screen settings Setting Profile Name Direction Download Limit Upload Limit When Limit is reached Policy Type Description A descriptive name - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 177
be applied. You can create multiple schedules and select any one them when defining firewall rules. To add a schedule: 1. Select Network Security > Services > Schedule. The Schedule screen displays. The following figure shows two schedules in the List of Schedules table as an example.) Figure 99 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 178
ProSecure Unified Threat Management (UTM) Appliance Figure 100. 3. Enter the settings as explained in the following table: Table 36. Add Schedule screen settings Setting Description Profile Name A name of the schedule for identification and management purposes. Description A description to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 179
from any computers or devices whose MAC addresses are listed in MAC Addresses table. Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 129. Firewall Protection 179 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 180
ProSecure Unified Threat Management (UTM) Appliance To enable MAC filtering and add MAC addresses to be permitted or blocked: 1. Select Network Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view. (The following figure shows one address in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 181
ProSecure Unified Threat Management (UTM) Appliance Set Up IP/MAC Bindings IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some computers or devices are configured with static addresses. To prevent users from changing their static IP addresses, the IP/MAC - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 182
ProSecure Unified Threat Management (UTM) Appliance Figure 102. 2. Enter the settings as explained in the following table: Table 37. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail Logs • Yes. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 183
ProSecure Unified Threat Management (UTM) Appliance To edit an IP/MAC binding: 1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays. 2. Modify the settings that you wish to change (see the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 184
ProSecure Unified Threat Management (UTM) Appliance To add a port-triggering rule: 1. Select Network Security > Port Triggering. The Port Triggering screen displays. (The following figure shows a rule in the Port Triggering Rule table as an example.) Figure 103. 2. In the Add Port Triggering Rule - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 185
ProSecure Unified Threat Management (UTM) Appliance To edit a port-triggering rule: 1. In the Port Triggering Rules table, click the Edit table button to the right of the port-triggering rule that you want to edit. The Edit Port Triggering Rule screen displays. 2. Modify the settings that you wish - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 186
ProSecure Unified Threat Management (UTM) Appliance Configure Universal Plug and Play The Universal Plug and Play (UPnP) feature enables the UTM to discover and configure devices automatically when it searches the LAN and WAN. 1. Select Security > UPnP. The UPnP screen displays: Figure 105. The UPnP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 187
Intrusion Prevention System The intrusion prevention system (IPS) of the UTM monitors all network traffic to detect, in real time, distributed denial-of-service (DDoS) attacks, network attacks, and port scans, and to protect your network from such intrusions. You can set up alerts, block source IP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 188
ProSecure Unified Threat Management (UTM) Appliance Table 39. IPS screen settings (continued) Setting Description Detect DDoS Detect the action that is taken when the UTM detects a DDoS attack: • Alert. An alert is emailed to the administrator that is specified on the Email Notification screen. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 189
ProSecure Unified Threat Management (UTM) Appliance Figure 106. IPS, screen 1 of 2 Firewall Protection 189 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 190
ProSecure Unified Threat Management (UTM) Appliance Figure 107. IPS, screen 2 of 2 4. Click Apply to save your settings. The following table explains some of the less familiar attack names in the IPS: Table 40. IPS: uncommon attack names Attack Name Web Web-Misc Description Detects some specific - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 191
under other web categories, such as DoS and overflow attacks against specific web services. These web services include IMail Web Calendaring, ZixForum, ScozNet, ScozNews, and other services. Detects traffic that involves visiting pornographic websites. Detects traffic that violates common policies - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 192
access policies that are based on the time of day, web addresses, and web address keywords. You can also block Internet access by applications and services, such as instant messaging and peer-to-peer file-sharing clients. Note: Traffic that passes on the UTM's VLANs and on the secondary IP addresses - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 193
ProSecure Unified Threat Management (UTM) Appliance Note: The UTM can quarantine spam and malware only if you have integrated a ReadyNAS (see Connect to a ReadyNAS on page 459) and configured the quarantine settings (see Configure the Quarantine Settings on page 460). Default Email and Web Scan - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 194
IMAP), you can globally enable or disable scanning for viruses, contents, and spam. To configure the email protocols and ports to scan: 1. Select Application Security > Services. The Services submenu tabs display with the Services screen in view. Content Filtering and Optimizing Scans 194 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 195
page 228). 3. If a protocol uses a port other than the standard service port (for example, port 25 for SMTP), enter this nonstandard port in the to Scan field and separate them by a comma. The following protocols are not supported by the UTM: • SMTP over SSL using port number 465 • POP3 over SSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 196
ProSecure Unified Threat Management (UTM) Appliance Customize Email Antivirus and Notification Settings Whether or not the UTM detects an email virus, you can configure it to take a variety of actions (some of the default actions are listed in Table 41 on page 193) and send notifications, emails, or - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 197
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 42. Anti-Virus screen settings for email traffic Setting Action SMTP POP3 IMAP Description The Anti-Virus check box for SMTP is selected by default. When the UTM detects an - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 198
ProSecure Unified Threat Management (UTM) Appliance Table 42. Anti-Virus screen settings for email traffic (continued) Setting Scan Exceptions Description The default maximum size of the email message that is scanned is 2048 KB, but you can define a maximum size of up to 10240 KB. However, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 199
ProSecure Unified Threat Management (UTM) Appliance Table 42. Anti-Virus screen settings for email traffic (continued) Setting Description Email Alert Settings Note: Ensure that the email notification server (see Configure the Email Notification Server on page 466) is configured before you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 200
ProSecure Unified Threat Management (UTM) Appliance To configure email content filtering: 1. Select Application Security > Email > Email Filters. The Email Filters screen displays: Figure 110. Content Filtering and Optimizing Scans 200 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 201
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 43. Email Filters screen settings Setting Description Email Filters By default, the email filters are blank and enabled, that is, the Yes radio button is selected. After you have - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 202
, the File Extension field lists the most common file extensions. You can manually add or delete extensions. Use commas to separate different extensions. You can Emails that are detected as spam by the NETGEAR Spam Classification Center are either tagged or blocked. Content Filtering and Optimizing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 203
ProSecure Unified Threat Management (UTM) Appliance This order of implementation ensures the optimum balance between spam prevention and system performance. For example, if an email originates from a whitelisted source, the UTM delivers the email immediately to its destination inbox without - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 204
ProSecure Unified Threat Management (UTM) Appliance To configure the whitelist and blacklist: 1. Select Application Security > Email > Whitelist/Blacklist. The Whitelist/Blacklist screen displays. Figure 111. Content Filtering and Optimizing Scans 204 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 205
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 44. Whitelist/Blacklist screen settings Setting Description Whitelist/Blacklist By default, the whitelist and blacklist are blank and enabled, that is, the Yes radio button is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 206
ProSecure Unified Threat Management (UTM) Appliance Configure the Real-Time Blacklist Blacklist providers are organizations that collect IP addresses of verified open SMTP relays that might be used by spammers as media for sending spam. These known spam relays are compiled by blacklist providers and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 207
and POP3) or blocked (an option possible only for SMTP). Note: Unlike other scans, you do not need to configure the spam score because the NETGEAR Spam Classification Center scores the spam automatically as long as the UTM is connected to the Internet. However, this does mean that the UTM needs - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 208
ProSecure Unified Threat Management (UTM) Appliance Figure 113. 2. Enter the settings as explained in the following table: Table 45. Distributed Spam Analysis screen settings Setting Description Distributed Spam Analysis SMTP Select the SMTP check box to enable distributed spam analysis for - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 209
setting is to add the default tag to the subject line. Add tag X-NETGEAR-SPAM to mail header When Tag spam email is selected from the Action drop- the explanation earlier in this table), select this check box to add the X-NETGEAR-SPAM tag to the email header. The default setting is to add the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 210
Content Filtering • Configure Web URL Filtering The UTM lets you configure the following settings to protect the network's Internet and web services communication: • The web protocols that are scanned for malware threats • Applications that are scanned for malware threats • Actions that are taken - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 211
uses default port 21. You cannot change the default port in the corresponding Ports to Scan field. 3. If a protocol uses a port other than the standard service port (for example, port 80 for HTTP), enter this nonstandard port in the Ports to Scan field. For example, if the HTTP Content Filtering and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 212
ProSecure Unified Threat Management (UTM) Appliance service on your network uses both port 80 and port HTTPS Smart Block feature and add profiles: 1. Select Application Security > Services < HTTPS Smart Block. The HTTPS Smart Block screen displays: Figure 115. Content Filtering and Optimizing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 213
ProSecure Unified Threat Management (UTM) Appliance 2. In the HTTPS Smart Block Port section of the screen, enter up to five port numbers, separated by commas, for which you want the HTTPS Smart Block feature to function. Each port number needs to be between 1 and 65535. By default, the feature - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 214
ProSecure Unified Threat Management (UTM) Appliance Figure 117. The HTTPS Smart Block Profiles table shows all the configured profiles, whether enabled or disabled. The HTTPS Smart Block List shows all the profiles that are enabled globally. By default, the table contains the All Domains profile. If - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 215
ProSecure Unified Threat Management (UTM) Appliance To change a profile: 1. In the Action column of the HTTPS Smart Block Profiles table, click the Edit table button for the profile that you want to change. The Add or Edit HTTPS Smart Block Profile screen displays (see Figure 116 on page 213). 2. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 216
ProSecure Unified Threat Management (UTM) Appliance Configure Web Malware or Antivirus Scans Whether or not the UTM detects web-based malware threats, you can configure it to take a variety of actions (some of the default actions are listed in Table 41 on page 193) and send notifications, emails, or - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 217
, the content of a web page that is blocked because of a detected malware threat is replaced with the following text, which you can customize: NETGEAR ProSecure UTM has detected and stopped malicious code embedded in this web site or web mail, for protecting your computer and network from infection - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 218
is allowed. You can specify a message such as Blocked by NETGEAR that is displayed onscreen if a LAN user attempts to access a specified as the keyword, all Internet browsing access is blocked. Note: Wildcards (*) are supported. For example, if www.net*.com is specified, any URL that begins with www. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 219
Security > HTTP/HTTPS > Content Filtering. The Content Filtering screen displays. Because of the large size of this screen, it is presented in this manual in three figures (the following figure, Figure 120 on page 220, and Figure 121 on page 221). Figure 119. Content filtering, screen 1 of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 220
ProSecure Unified Threat Management (UTM) Appliance Figure 120. Content filtering, screen 2 of 3 Content Filtering and Optimizing Scans 220 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 221
ProSecure Unified Threat Management (UTM) Appliance Figure 121. Content filtering, screen 3 of 3 2. Enter the settings as explained in the following table: Table 48. Content Filtering screen settings Setting Description Content Filtering Log HTTP Traffic Select this check box to log HTTP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 222
Setting Description Block Files with the Following Extensions By default, the File Extension field lists the most common file extensions. You can manually add or delete extensions. Use commas to separate different extensions. You can enter a maximum of 40 file extensions. The maximum total length - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 223
ProSecure Unified Threat Management (UTM) Appliance Table 48. Content Filtering screen settings (continued) Setting Description Select the Web Categories You Wish to Block Select the Enable Blocking check box to enable blocking of web categories. (By default, this check box is selected.) Select - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 224
the category displays next to Lookup Results. If the URL appears to be uncategorized, you can submit it to NETGEAR for analysis. Submit to NETGEAR To submit an uncategorized URL to NETGEAR for analysis, select the category in which you think that the URL needs to be categorized from the drop-down - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 225
ProSecure Unified Threat Management (UTM) Appliance To configure web URL filtering: 1. Select Application Security > HTTP/HTTPS > URL Filtering. The URL Filtering screen displays. Figure 122. Content Filtering and Optimizing Scans 225 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 226
precedence, and URLs on the whitelist are not scanned. Note: Wildcards (*) are supported. For example, if you enter www.net*.com in the URL field, any Export To export the URLs, click the Export table button, and follow the instructions of your browser. Type or copy a URL in the Add URL field. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 227
or more URLs, highlight the URLs, and click the Delete table button. Export To export the URLs, click the Export table button, and follow the instructions of your browser. Type or copy a URL in the Add URL field. Then click the Add table button to add the URL to the URL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 228
ProSecure Unified Threat Management (UTM) Appliance Configure HTTPS Scanning and SSL Certificates • How HTTPS Scanning Works • Configure the HTTPS Scan Settings • Manage SSL Certificates for HTTPS Scanning • Specify Trusted Hosts for HTTPS Scanning • Configure the SSL Settings for HTTPS Scanning How - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 229
ProSecure Unified Threat Management (UTM) Appliance During SSL authentication, the HTTPS client authenticates three items: • Is the SSL certificate trusted? • Has the SSL certificate expired? • Does the name on the SSL certificate match that of the website? If one of these items is not authenticated - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 230
: For HTTPS scanning to occur correctly, you need to add the HTTP proxy server port in the Ports to Scan field for the HTTPS service on the Services screen (see Customize Web Protocol Scan Settings on page 210). Show This Message When an HTTPS Connection Attempt Fails By default, a rejected HTTPS - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 231
(see the following figure), the user can decide whether to trust the host. Figure 126. The UTM contains a self-signed certificate from NETGEAR. This certificate can be downloaded from the UTM login screen or from the Certificate Management screen for browser import. However, before you deploy the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 232
of the size of this screen, and because of the way the information is presented, the Certificate Management screen is divided and presented in this manual in three figures (the following figure, Figure 128 on page 233, and Figure 129 on page 234). The UTM's Certificate Management screen lets you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 233
into your browser: 1. Click Download for Browser Import. 2. Follow the instructions of your browser to save the RootCA.crt file on your computer. To reload the default NETGEAR certificate: 1. Select the Use NETGEAR default certificate radio button. 2. Click Apply to save your settings. To - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 234
section of the screen, click Browse next to the Import from File field. 2. Navigate to a trusted certificate file on your computer. Follow the instructions of your browser to place the certificate file in the Import from File field. 3. Click the Upload button. The newly imported trusted certificate - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 235
ProSecure Unified Threat Management (UTM) Appliance To delete an untrusted certificate: 1. From the Exceptions - Untrusted Certificates But Granted Access table, select the certificate. 2. Click Delete Selected. To move an untrusted certificate to the Trusted Certificate Authorities table: 1. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 236
or more hosts, highlight the hosts, and click the Delete table button. Export To export the hosts, click the Export table button, and follow the instructions of your browser. Add Host Type or copy a trusted host in the Add Host field. Then click the Add table button to add the host - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 237
ProSecure Unified Threat Management (UTM) Appliance Configure the SSL Settings for HTTPS Scanning To configure the SSL settings for HTTPS scanning: 1. Select Application Security > SSL Settings > SSL Settings. The SSL Settings screen displays. Figure 131. 2. Enter the settings as explained in the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 238
ProSecure Unified Threat Management (UTM) Appliance Configure FTP Scanning • Customize FTP Antivirus Settings • Configure FTP Content Filtering Some malware threats are specifically developed to spread through the FTP protocol. By default, the UTM scans FTP traffic, but you can disable scanning of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 239
ProSecure Unified Threat Management (UTM) Appliance Table 53. Anti-Virus screen settings for FTP (continued) Setting Description Scan Exception The default maximum size of the file or object that is scanned is 2048 KB, but you can define a maximum size of up to 10240 KB. However, setting the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 240
Setting Description Block Files with the Following Extensions By default, the file extension field lists the most common file extensions. You can manually add or delete extensions. Use commas to separate different extensions. You can enter a maximum of 40 file extensions. The maximum total length - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 241
profile, you can assign it to firewall rules on the following screens: • Add LAN WAN Outbound Services screen (see Figure 68 on page 141). • Add LAN WAN Inbound Services screen (see Figure 69 on page 142). • Add DMZ WAN Outbound Services screen (see Figure 71 on page 144). • Add DMZ WAN Inbound - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 242
ProSecure Unified Threat Management (UTM) Appliance To configure an application control profile and enable application control: 1. Select Application Security > Application Control. The Application Control screen displays. (The following figure contains an example in the Application Control - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 243
ProSecure Unified Threat Management (UTM) Appliance Figure 135. 3. Configure the common settings in the upper part of the screen as explained in the following table: Table 55. Common settings on the Add or Edit Application Control Profile screen Setting Name Brief Description Description A name - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 244
ProSecure Unified Threat Management (UTM) Appliance Table 55. Common settings on the Add or Edit Application Control Profile screen Setting Description All Other Known Applications Known applications are the applications that you can select in the lower part of the screen. Specify whether all - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 245
ProSecure Unified Threat Management (UTM) Appliance 5. In the Active Categories and Individual Applications table, set the policy for each selected category of applications and individual application by clicking the Edit table button to the right of each selection. The Application Control Policy pop - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 246
of applications, or leave the default selection (None). By default, no profile is assigned. For information about QoS profiles, see Create Quality of Service Profiles on page 169. Policy for an individual application Note: The content of a pop-up screen for an individual application depends on the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 247
selected application, or leave the default selection (None). By default, no profile is assigned. For information about QoS profiles, see Create Quality of Service Profiles on page 169. 7. Click Apply to save the policy settings. The pop-up screen closes. 8. Repeat Step 5 through Step 7 for other - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 248
ProSecure Unified Threat Management (UTM) Appliance 2. Modify the settings that you wish to change (see the previous procedure). 3. Click Apply to save your changes. The modified application control profile is displayed in the Global Application Control Profile table or the Application Control - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 249
ProSecure Unified Threat Management (UTM) Appliance • A combination of file extensions and protocols • One URL or URL expression • One built-in web category group or built-in individual web category To further refine exception rules, you can create custom categories that allow you to include either - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 250
ProSecure Unified Threat Management (UTM) Appliance 2. Under the File Extension table at the bottom of the screen, click the Add table button to specify an exception rule. The Add or Edit Exceptions screen displays. The content of the lower part of the screen depends on the selection of the Category - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 251
ProSecure Unified Threat Management (UTM) Appliance • File Extension. Figure 140. Add or edit exceptions: file extensions • HTTPS Smart Block. Figure 141. Add or edit exceptions: HTTPS Smart Block Content Filtering and Optimizing Scans 251 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 252
ProSecure Unified Threat Management (UTM) Appliance • URL Filtering. Figure 142. Add or edit exceptions: URL filtering • Web Category. Figure 143. Add or edit exceptions: web categories 4. Complete the fields and make your selections from the drop-down lists as explained in the following table: - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 253
ProSecure Unified Threat Management (UTM) Appliance Table 57. Add or Edit Exceptions screen settings (continued) Setting Description Domain User/Group Click the Edit button to open the Applies To pop-up screen, which lets you configure a domain, group, or individual user to which the exception - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 254
ProSecure Unified Threat Management (UTM) Appliance Table 57. Add or Edit Exceptions screen settings (continued) Setting Description Domain Local Groups User/Group (continued) Group Membership by IP Local User Search LDAP User/Group Search RADIUS User Do the following: 1. From the Name - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 255
ProSecure Unified Threat Management (UTM) Appliance Table 57. Add or Edit Exceptions screen settings (continued) Setting Description Domain User/Group (continued) Custom Groups Do the following: 1. From the Name drop-down list, select a custom group. 2. Click the Apply button to apply the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 256
extensions and one or more protocols, which you need to specify onscreen: 1. File Extensions. Manually enter up to 40 file extensions. Use commas to separate multiple file extensions. Wildcards (*) are supported. A single asterisk (*) matches any file extension. You can also use the drop-down list - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 257
ProSecure Unified Threat Management (UTM) Appliance 5. Click Apply to save your settings. The new exception rule is added to the associated table on the Exceptions screen and is enabled by default. To return to the Exceptions screen without adding the rule, click Cancel. 6. Optional step: If you do - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 258
ProSecure Unified Threat Management (UTM) Appliance Create Custom Categories for Exceptions for Web and Application Access Use custom categories to set exceptions for web and application access on the Exceptions screen (see Set Exception Rules for Web and Application Access on page 248). Each custom - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 259
ProSecure Unified Threat Management (UTM) Appliance • Application. Figure 145. Custom categories: applications • URL Filtering. Figure 146. Custom categories: URL filtering Content Filtering and Optimizing Scans 259 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 260
ProSecure Unified Threat Management (UTM) Appliance • Web Category. Figure 147. Custom categories: web categories 4. Complete the fields and make your selections from the drop-down lists as explained in the following table: Table 58. Custom Categories screen settings Setting Description Name A - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 261
Add URL field or the Import from File tool (see explanations later in this table). You can add a maximum of 2000 URLs. Note: Wildcards (*) are supported. For example, if you enter www.net*.com in the Add URL field and then click the Add table button, any URL that begins with - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 262
these files, you can configure a scanning exclusion for your web server. To configure scanning exclusion rules: 1. Select Application Security > Services> Scanning Exclusions. The Scanning Exclusions screen displays. This screen shows the Scanning Exclusions table, which is empty if you have not - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 263
ProSecure Unified Threat Management (UTM) Appliance Figure 148. 2. In the Add Scanning Exclusions section of the screen, specify an exclusion rule as explained in the following table: Table 59. Scanning Exclusion screen settings Setting Description Client IP Fill in the client IP address and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 264
7. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 7 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the UTM to provide secure, encrypted communications between your local network and a remote network or computer. This - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 265
more information about the IP addressing requirements for VPNs in the dual WAN modes. For information about how to select and configure a Dynamic DNS service for resolving FQDNs, see Configure Dynamic DNS on page 91. For information about WAN mode configuration, see Configure the WAN Mode on page 80 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 266
VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 267
configured to function in WAN auto-rollover mode, you can use the VPN Wizard to configure VPN rollover and do not need to configure this manually. Figure 152. To view the wizard default settings, click the VPN Wizard Default Values option arrow in the upper right of the screen. A pop-up - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 268
ProSecure Unified Threat Management (UTM) Appliance Figure 153. The VPN Wizard default values screen lists some incorrect default values. The correct values are listed in the following table. Table 61. IPSec VPN Wizard default values for a gateway-to-gateway tunnel Setting IKE policy Exchange mode - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 269
configured to function in WAN auto-rollover mode, you can use the VPN Wizard to configure VPN rollover and do not need to configure this manually. Connection Name and Remote IP Type What is the new Connection Name? Enter a descriptive name for the connection. This name is used to help you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 270
should be defined as either FQDNs or IP addresses. A combination of an IP address and an FQDN is not supported. Tip: To ensure that tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keep-alives, which periodically sends ping packets to the host on the peer - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 271
VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 276 or Manually Create a Secure Connection Using the NETGEAR VPN Client on - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 272
configured to function in WAN auto-rollover mode, you can use the VPN Wizard to configure VPN rollover and do not need to configure this manually. Figure 157. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 272 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 273
ProSecure Unified Threat Management (UTM) Appliance To display the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see Figure 153 on page 268), showing the wizard default values. The VPN Wizard default values - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 274
VPN Wizard to configure VPN rollover and do not need to configure this manually. Connection Name and Remote IP Type What is the new Connection Enter a or IP addresses. A combination of an IP address and an FQDN is not supported. 3. Click Apply to save your settings. The IPSec VPN policy is now - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 275
ProSecure Unified Threat Management (UTM) Appliance Figure 158. Note: When you are using FQDNs and a Dynamic DNS (DDNS) service, if the DDNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel fails because the FQDNs do not resolve to your new - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 276
Configuration Wizard does not let you enter the local and remote IDs, so you need to enter this information manually. Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To use the Configuration Wizard to set up a VPN connection between the VPN client and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 277
ProSecure Unified Threat Management (UTM) Appliance Figure 160. 3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 161. 4. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 278
ProSecure Unified Threat Management (UTM) Appliance Figure 162. 6. This screen is a summary screen of the new VPN configuration. Click Finish. 7. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 279
ProSecure Unified Threat Management (UTM) Appliance c. Specify the settings that are explained in the following table. Table 66. VPN client advanced authentication settings Setting Advanced features Description Aggressive Mode Select this check box to enable aggressive mode as the mode of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 280
client configuration is now complete. Instead of using the wizard on the VPN client, you can also manually configure the VPN client, which is explained in the following section. Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a computer that has the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 281
ProSecure Unified Threat Management (UTM) Appliance Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 165. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 282
ProSecure Unified Threat Management (UTM) Appliance Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 283
ProSecure Unified Threat Management (UTM) Appliance 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 168. 7. Specify the settings that are explained in the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 284
ProSecure Unified Threat Management (UTM) Appliance Table 68. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the UTM configuration. As the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 285
ProSecure Unified Threat Management (UTM) Appliance Figure 169. 3. Specify the settings that are explained in the following table. Table 69. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 286
ProSecure Unified Threat Management (UTM) Appliance 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters To specify the global parameters: 1. Click Global Parameters in the left column of the Configuration Panel - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 287
UTM provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. Test the NETGEAR VPN Client Connection There are many ways to establish a connection. The following procedures assume that you use - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 288
ProSecure Unified Threat Management (UTM) Appliance Perform one of the following tasks: - Double-click Gateway-Tunnel. - Right-click Gateway-Tunnel, and select Open tunnel. - Click Gateway-Tunnel, and press Ctrl+O. Figure 172. • Use the system-tray icon. Right-click the system tray icon, and select - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 289
VPN Client Status and Log Information To view detailed negotiation and error information about the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays. Figure 176. View - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 290
ProSecure Unified Threat Management (UTM) Appliance The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 5 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 291
as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 291 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 292
182 on page 303) is used to start negotiations with the remote VPN gateway. • If the VPN policy is of a manual policy type, the settings that are specified in the Manual Policy Parameters section of the Add VPN Policy screen (see Figure 182 on page 303) are accessed, and the first matching - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 293
ProSecure Unified Threat Management (UTM) Appliance Figure 179. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 72 on page 296. Table 71. List of IKE Policies table information Setting Name Mode Local ID Remote ID Encr - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 294
All table button to select all IKE policies. 2. Click the Delete table button. For information about how to add or edit an IKE policy, see Manually Add or Edit an IKE Policy on page 294. Note: You can delete or edit an IKE policy for which the VPN policy is active - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 295
ProSecure Unified Threat Management (UTM) Appliance Figure 180. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 295 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 296
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained in the following table: Table 72. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 297
ProSecure Unified Threat Management (UTM) Appliance Table 72. Add IKE Policy screen settings (continued) Setting Identifier Type Remote Identifier Type IKE SA Parameters Encryption Algorithm Authentication Algorithm Description From the drop-down list, select one of the following ISAKMP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 298
ProSecure Unified Threat Management (UTM) Appliance Table 72. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the UTM and the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 299
ProSecure Unified Threat Management (UTM) Appliance Table 72. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 300
You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. You manually enter all settings (including the keys) for the VPN tunnel on the UTM and on the remote VPN endpoint. No third-party server or organization - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 301
create a VPN policy, the name of the VPN policy (and of the automatically created accompanying IKE policy) is the connection name. Auto or Manual as described previously (Auto is used during VPN Wizard configuration). IP address (either a single address, range of address, or subnet address) on your - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 302
table button to select all VPN policies. 2. Click the Enable or Disable table button. For information about how to add or edit a VPN policy, see Manually Add or Edit a VPN Policy on this page. Note: You can delete or edit an IKE policy for which the VPN policy is active without - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 303
ProSecure Unified Threat Management (UTM) Appliance Figure 182. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 303 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 304
Policy Parameters section of the screen) for the VPN tunnel are generated automatically. • Manual Policy. All settings need to be specified manually, including the ones in the Manual Policy Parameters section of the screen. Select a WAN interface from the drop-down list to specify the WAN interface - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 305
the VPN tunnel on the remote endpoint. The selections are the same as for the Local IP drop-down list. Manual Policy Parameters Note: These fields apply only when you select Manual Policy as the policy type. When you specify the settings for the fields in this section, a security association (SA - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 306
ProSecure Unified Threat Management (UTM) Appliance Table 74. Add New VPN Policy screen settings (continued) Setting Encryption Algorithm Key-In Key-Out SPI-Outgoing Integrity Algorithm Key-In Key-Out Description From the drop-down list, select one of the following five algorithms to negotiate - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 307
ProSecure Unified Threat Management (UTM) Appliance Table 74. Add New VPN Policy screen settings (continued) Setting Description Auto Policy Parameters Note: These fields apply only when you select Auto Policy as the policy type. SA Lifetime The lifetime of the security association (SA) is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 308
server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device. The UTM is used as a VPN concentrator on which - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 309
ProSecure Unified Threat Management (UTM) Appliance Configure XAUTH for VPN Clients Once the XAUTH has been enabled, you need to establish user accounts in the user database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 310
screen, as described in Configure User Accounts on page 401. RADIUS Client and Server Configuration Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing authentication, authorization, and accounting (AAA) of multiple users in a network. A RADIUS server stores - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 311
ProSecure Unified Threat Management (UTM) Appliance 2. Complete the fields and select the radio buttons as explained in the following table: Table 76. RADIUS Client screen settings Setting Primary RADIUS Server Description To enable and configure the primary RADIUS server, select the Yes radio - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 312
Config Record screen that is shown in Figure 185 on page 314). Note: After configuring a Mode Config record, you need to configure an IKE policy manually, and select the newly created Mode Config record from the Select Mode Config Record drop-down list (see Configure Mode Config Operation on the UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 313
ProSecure Unified Threat Management (UTM) Appliance To configure Mode Config on the UTM: 1. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays: Figure 184. As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 314
ProSecure Unified Threat Management (UTM) Appliance Figure 185. 3. Complete the fields, select the check box, and make your selections from the drop-down lists as explained in the following table: Table 77. Add Mode Config Record screen settings Setting Client Pool Record Name First Pool Second - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 315
ProSecure Unified Threat Management (UTM) Appliance Table 77. Add Mode Config Record screen settings (continued) Setting Description DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 316
ProSecure Unified Threat Management (UTM) Appliance 6. Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen displays. (The following figure shows the upper part only of a multiple WAN port model screen.) The WAN drop-down list (next to Select Local Gateway) is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 317
ProSecure Unified Threat Management (UTM) Appliance Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 72 on page 296 explains the general IKE policy settings. Table 78. IKE policy settings for a Mode Config configuration - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 318
. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). Enable Dead Peer Detection Note: See also Configure Keep-Alives and Dead Peer Detection on page 328. Select - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 319
ProSecure Unified Threat Management (UTM) Appliance Table 78. IKE policy settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 320
ProSecure Unified Threat Management (UTM) Appliance Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 321
ProSecure Unified Threat Management (UTM) Appliance Figure 188. 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 322
ProSecure Unified Threat Management (UTM) Appliance 4. Specify the settings that are explained in the following table. Table 79. VPN client authentication settings (Mode Config) Setting Interface Description Select Any from the drop-down list. Remote Gateway Preshared Key Enter the remote IP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 323
ProSecure Unified Threat Management (UTM) Appliance 7. Specify the settings that are explained in the following table. Table 80. VPN client advanced authentication settings (Mode Config) Setting Advanced features Description Mode Config Select this check box to enable Mode Config. Aggressive - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 324
ProSecure Unified Threat Management (UTM) Appliance Note: This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The IPSec pane displays in the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 325
ProSecure Unified Threat Management (UTM) Appliance Table 81. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Subnet mask ESP Enter 255.255.255.0 as the remote subnet mask of the UTM that opens the VPN tunnel. This is the LAN IP subnet mask that you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 326
ProSecure Unified Threat Management (UTM) Appliance 2. Specify the following default lifetimes in seconds to match the configuration on the UTM: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. 3. Select the Dead Peer Detection (DPD) check box, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 327
ProSecure Unified Threat Management (UTM) Appliance Figure 195. 3. From the client computer, ping a computer on the UTM LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy. To edit a Mode Config record: - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 328
reason. For DPD to function, the peer VPN device on the other end of the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device. Configure Keep-Alives The keep-alive feature maintains the IPSec SA by sending periodic ping - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 329
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 82. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the UTM sends keep-alive - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 330
as naming and neighborhood device discovery. Because VPN routers do not usually pass NetBIOS traffic, these network services do not function for hosts on opposite ends of a VPN connection. To solve this problem, you can configure the UTM to bridge NetBIOS traffic over the VPN tunnel. To enable - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 331
Protocol (PPTP) server on the UTM to allow users to access PPTP clients over PPTP tunnels. A maximum of five simultaneous PPTP user sessions are supported. (The very first IP address of the PPTP address pool is used for distribution to the UTM.) A PPTP user typically initiates a tunnel request; the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 332
ProSecure Unified Threat Management (UTM) Appliance To enable the PPTP server and configure the PPTP server pool, authentication, and encryption: 1. Select VPN > PPTP Server. The PPTP Server screen displays: Figure 199. 2. Enter the settings as explained in the following table: Table 84. PPTP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 333
the PPTP users to the domain (see Configure User Accounts on page 401). Encryption If the authentication is MSCHAP or MSCHAPv2, the PPTP server can support Microsoft Point-to-Point Encryption (MPPE). Select one or more of the following types of MPPE: • MPPE-40. MPPE 40-bit encryption. • MPPE-128 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 334
Protocol (L2TP) server on the UTM to allow users to access L2TP clients over L2TP tunnels. A maximum of five simultaneous L2TP user sessions are supported. (The very first IP address of the L2TP address pool is used for distribution to the UTM.) An L2TP Access Concentrator (LAC) typically initiates - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 335
CHAP version 2 (MSCHAPv2). Note: For each authentication method that you want to use for L2TP users, you need to have created a domain that supports the authentication method (see Configure Domains on page 388) and have added the L2TP users to the domain (see Configure User Accounts on page 401 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 336
the Stop button. For More IPSec VPN Information Visit http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and forum includes a Resources section with UTM How-To's, including the following guides: • How to Configure UTM and Apple iPhone and iPad for IPSec VPN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 337
client can establish an encrypted connection. With support for up to 13 dedicated SSL VPN Build a Portal Using the SSL VPN Wizard • Manually Configure and Modify SSL Portals • For More SSL The UTM's SSL VPN portal can provide two levels of SSL service to the remote user: • SSL VPN tunnel. The UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 338
several ways: - Port forwarding supports only TCP connections, not UDP the remote user with one or both of these SSL service levels, depending on how you set up the configuration. Build how to edit policies or to configure policies manually, see Manually Configure and Modify SSL Portals on page 357. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 339
explain the buttons and fields of the SSL VPN Wizard screens. Additional information about the settings in the SSL VPN Wizard screens is provided in Manually Configure and Modify SSL Portals on page 357 or in other chapters. Each of the following sections provides a specific link to a section in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 340
top of the user's web browser window, for example, Company Customer Support. Banner Title The banner title of a banner message that users see before they log in to the portal, for example, Welcome to Customer Support. Banner Message The text of a banner message that users see before - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 341
"> Note: NETGEAR strongly recommends enabling browsers that do not support ActiveX. SSL VPN services. After you have completed the steps in the SSL VPN Wizard, you can change the portal settings by selecting VPN > SSL VPN > Portal Layout. For more information about portal settings, see Manually - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 342
ProSecure Unified Threat Management (UTM) Appliance SSL VPN Wizard Step 2 of 6 (Domain Settings) Figure 205. Enter the settings as explained in the following table, and then click Next to go the following screen. Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 343
ProSecure Unified Threat Management (UTM) Appliance WARNING: Do not enter an existing domain name in the Domain Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings and the UTM reboots to recover its configuration. Table 89. SSL VPN Wizard Step 2 of 6 screen - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 344
the following fields: - Authentication Server - Authentication Secret - Radius Port - Repeat - Timeout • MIAS-CHAP. Microsoft Internet Authentication Service (MIAS) CHAP. Complete the following fields: - Authentication Server - Authentication Secret - Radius Port - Repeat - Timeout • NT Domain - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 345
ProSecure Unified Threat Management (UTM) Appliance Table 89. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued) Setting Description Portal The portal that you selected on the first SSL VPN Wizard screen. You cannot change the portal on this screen; the portal is displayed - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 346
ProSecure Unified Threat Management (UTM) Appliance Table 89. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued) Setting Description Search Base LDAP and Active Directory (continued) The DN at which to start the search, specified as a sequence of relative distinguished - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 347
ProSecure Unified Threat Management (UTM) Appliance SSL VPN Wizard Step 3 of 6 (User Settings) Figure 206. Note that the previous figure contains an example. Enter the settings as explained in the following table, and then click Next to go the following screen. WARNING: Do not enter an existing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 348
ProSecure Unified Threat Management (UTM) Appliance After you have completed the steps in the SSL VPN Wizard, you can change the user settings or add more users for this portal by selecting Users > Users. For more information about user settings, see Configure User Accounts on page 401. Note: A user - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 349
or specify a destination network IP address of a local network or subnet that has not yet been used. This setting applies only when full-tunnel support is disabled. Subnet Mask Leave this field blank, or specify the address of the appropriate subnet mask. This setting applies only when full-tunnel - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 350
ProSecure Unified Threat Management (UTM) Appliance SSL VPN Wizard Step 5 of 6 (Port Forwarding) Note: This screen displays only if you have selected the Port Forwarding check box on the SSL VPN Wizard Step 1 of 6 screen (see Figure 204 on page 339). Figure 208. Note that the previous figure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 351
22a (continued) Telnet 23a SMTP (send mail) 25 HTTP (web) 80 POP3 (receive mail) 110 NTP (Network Time Protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 Add New Host Name for Port Forwarding Local Server IP Address The IP address of an - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 352
ProSecure Unified Threat Management (UTM) Appliance Figure 209. Virtual Private Networking Using SSL Connections 352 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 353
your settings. If the settings are accepted by the UTM, a message Operation Succeeded displays at the top of the screen, and the Welcome to the Netgear Configuration Wizard screen displays again (see Figure 203 on page 338). Access the New SSL VPN Portal To access the new SSL VPN portal that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 354
ProSecure Unified Threat Management (UTM) Appliance Figure 211. 3. To verify access, enter the user name and password that you created with the SSL VPN Wizard. Note: Any user for whom you have set up a user account that is linked to the domain for the portal and who has knowledge of the portal URL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 355
Forwarding. Provides access to the network services that you defined as described in SSL VPN Wizard Step 5 of 6 (Port Forwarding) on page 350. • Change Password. Allows the user to change his or her password. • Support. Provides access to the NETGEAR website. Virtual Private Networking Using SSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 356
SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port-forwarding tunnel, the NETGEAR port-forwarding engine is installed. There are other portal screens that should not be confused with a portal screen that you can create with the SSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 357
Simplify Policies • Configure User, Group, and Global Policies To manually configure and activate SSL connections, perform the following six basic presented: 1. Edit the existing SSL portal or create a new one (see Manually Create or Modify the Portal Layout on page 359). When remote users log in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 358
qualified domain names (FQDNs) with these servers. The UTM resolves the names to the servers using the list you have created. 4. For SSL VPN tunnel service, configure the virtual network adapter (see Configure the SSL VPN Client on page 365). For the SSL VPN tunnel option, the UTM creates a virtual - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 359
is customizable, it provides an ideal way to communicate remote access instructions, support information, technical contact information, or VPN-related news updates to remote not relate to other figures and examples in this manual. The portal URL normally includes the WAN IP address of the UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 360
ProSecure Unified Threat Management (UTM) Appliance The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 211 on page 354). • Use Count. The number of remote - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 361
user's web browser window, for example, Company Customer Support. The banner title of a banner message that users see before they log cache-control" content="must-revalidate"> ActiveX web cache cleaner Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 362
Pages to Display VPN Tunnel page To provide full network connectivity, select this check box. Port Forwarding To provide access to specific defined network services, select this check box. Note: Any pages that are not selected are not visible from the SSL VPN portal; however, users can still - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 363
Unified Threat Management (UTM) Appliance Configure Applications for Port Forwarding Port forwarding provides access to specific defined network services. To define these services, you need to specify the internal server addresses and port numbers for TCP applications that are intercepted by the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 364
21 SSH 22a Telnet 23a SMTP (send mail) 25 HTTP (web) 80 POP3 (receive mail) 110 NTP (Network Time Protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address. 3. Click - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 365
10.0.0.45.) • Select whether you want to enable full-tunnel or split-tunnel support based on your bandwidth: - A full tunnel sends all of the client's the VPN tunnel for local traffic only. • If you enable split-tunnel support and you assign an entirely different subnet to the VPN tunnel clients from - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 366
enabled, and you need to add client routes (see Add Routes for VPN Tunnel Clients on page 367). Note: When full-tunnel support is enabled, client routes are not operable. DNS Suffix A DNS suffix to be appended to incomplete DNS search strings. This setting is optional. Virtual Private - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 367
ProSecure Unified Threat Management (UTM) Appliance Table 95. SSL VPN Client screen settings (continued) Setting Description Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Note: If you do not assign a DNS server - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 368
time-out period, which determines when an SSL VPN connection is terminated after a problem has been detected on a link between the UTM and an SSL VPN client. , all SSL VPN connections are terminated. Users need to manually reestablish the SSL VPN connections. 4. Click Apply to save your settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 369
Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 370
resource. You cannot modify the resource name after you have created it on the first Resources screen. Service The SSL service that is assigned to the resource. You cannot modify the service after you have assigned it to the resource on the first Resources screen. Virtual Private Networking Using - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 371
, and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses, and to different SSL VPN services. A specific hierarchy is invoked over which policies take precedence. The UTM policy hierarchy is defined as follows: • User policies take precedence - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 372
Threat Management (UTM) Appliance For example, assume the following global policy configuration: • Policy 1. A Deny rule has been configured to block all services to the IP address range 10.0.0.0-10.0.0.255. • Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2-10.0.1.10 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 373
ProSecure Unified Threat Management (UTM) Appliance View Policies To view the existing policies: 1. Select VPN > SSL VPN. The SSL VPN submenu tabs display, with the Policies screen in view. (The following figure shows some examples.) Figure 223. 2. Make your selection from the following Query - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 374
ProSecure Unified Threat Management (UTM) Appliance . Figure 224. 3. Select the radio buttons, complete the fields, and make your selection from the drop-down lists as explained in the following table: Table 97. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 375
to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. Service From the drop-down list, select the service to which the SSL VPN policy is applied: • VPN Tunnel. The policy is applied only to a VPN tunnel. • Port Forwarding. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 376
to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. Service From the drop-down list, select the service to which the SSL VPN policy is applied: • VPN Tunnel. The policy is applied only to a VPN tunnel. • Port Forwarding. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 377
the Select All table button to select all policies. 2. Click the Delete table button. For More SSL VPN Information Visit http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and to become part of the ProSecure community. The forum includes a Resources section - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 378
9 9. Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • Authentication Process and Options • Configure Authentication Domains, Groups, and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 379
CHAP password-based authentication method that functions with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft Windows 2003 provide specific group policies or bookmarks based on LDAP attributes. The UTM supports single sign-on (SSO) through the use of the DC agent - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 380
Administrative Users and Users with Guest Privileges Users with administrative and guest privileges on the UTM need to log in through the NETGEAR Configuration Manager Login screen (see the following figure), where they are authenticated through the UTM's local user database. These users need to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 381
the method that you have configured for the domain. The lower part of the NETGEAR Configuration Manager Login screen (see the previous figure) provides a User Portal Login VPN Wizard on page 338 and Manually Create or Modify the Portal Layout on page 359. Manage Users, Authentication, and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 382
ProSecure Unified Threat Management (UTM) Appliance Figure 226. The User Portal Login screen displays three links: • Download CA certificate. The first time that a user remotely connects to a UTM with a browser through an SSL connection, he or she might get a warning message about the SSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 383
see DC Agent on page 409), after completing a session, a user needs to log out manually by following these steps: 1. Return to the User Portal Login screen (see Figure 226 on /user_login.pl Alternately, the administrator can provide the NETGEAR Configuration Manager Login screen, from which the user - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 384
Process and Options on page 378. The UTM supports security policies that are based on an Active Directory with single sign-on (SSO) through the use of the DC agent (see DC Agent on page 409) and additional LDAP configuration options. Note: This manual assumes that you already have some knowledge of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 385
ProSecure Unified Threat Management (UTM) Appliance • An OU is created in the root node (for example, dc=companyname, dc=com) of the hierarchy. In a company AD, an OU often represents a regional office or department. • A group is created under cn=users. • A user is created under each OU so that the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 386
ProSecure Unified Threat Management (UTM) Appliance Figure 228. 4. To verify Jamie Hanson's user login name, click the Account tab. The account properties for Jamie Hanson display. Figure 229. 5. Log in to the UTM. Manage Users, Authentication, and VPN Certificates 386 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 387
the Select Portal drop-down list. 11. Enter 192.168.35.115 in the Authentication Server field. 12. Enter the company information (for example, dc=netgear,dc=com) in the Active Directory Domain field. 13. To bind the user Jamie Hanson to the AD server for authentication on the UTM, use - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 388
ProSecure Unified Threat Management (UTM) Appliance Figure 231. 14. Complete the remaining fields and drop-down list as needed. 15. Click Apply to save your settings. Configure Domains The domain determines the authentication method to be used for associated users. For SSL connections, the domain - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 389
ProSecure Unified Threat Management (UTM) Appliance The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The default domain name (geardomain) is appended by an asterisk. • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 390
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 99. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 391
RADIUS servers are configured (see RADIUS Client and Server Configuration on page 310). • • • MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP. Complete the following fields: - Authentication Server - Authentication Secret - Radius Port - Repeat - Timeout MIAS-CHAP. Microsoft Internet - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 392
ProSecure Unified Threat Management (UTM) Appliance Table 99. Add Domain screen settings (continued) Setting Description Authentication Secret All RADIUS, WiKID, and MIAS authentication types The authentication secret or password that is required to access the authentication server for RADIUS, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 393
of the Domain screen (see Figure 232 on page 388), select the No radio button. Note: A combination of local and external authentication is supported. WARNING: If you disable local authentication, make sure that there is at least one external administrative user; otherwise, access to the UTM is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 394
ProSecure Unified Threat Management (UTM) Appliance To delete one or more domains: 1. In the List of Domains table, select the check box to the left of each domain that you want to delete, or click the Select All table button to select all domains. You cannot delete a default domain. 2. Click the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 395
ProSecure Unified Threat Management (UTM) Appliance Create and Delete Groups To create a VPN group: 1. Select Users > Groups. The Groups screen displays. (The following figure shows the UTM's default group-geardomain-and, as an example, several other groups in the List of Groups table.) The List - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 396
ProSecure Unified Threat Management (UTM) Appliance 2. In the Add New Group section of the screen, enter the settings as explained in the following table: Table 100. Groups screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 397
ProSecure Unified Threat Management (UTM) Appliance Figure 235. Except for groups that are associated with domains that use the LDAP authentication method, you can modify only the idle time-out settings. You can never modify the Group Name and Group's Auth Type fields. 3. Modify the idle time-out - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 398
ProSecure Unified Threat Management (UTM) Appliance Figure 236. 2. Under the Custom Groups table, click the Add table button to specify a custom group. The Add Custom Group screen displays: Figure 237. Manage Users, Authentication, and VPN Certificates 398 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 399
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields and make your selections from the drop-down lists as explained in the following table: Table 101. Add Custom Group screen settings Setting Description Name A name of the custom group for identification and management - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 400
ProSecure Unified Threat Management (UTM) Appliance Table 101. Add Custom Group screen settings (continued) Setting Description Add LDAP Users/Groups User/Group to this group Search (continued) Do the following: 1. From the Domain drop-down list, select an LDAP domain. 2. From the Type drop - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 401
) Appliance Configure User Accounts The UTM supports both unauthenticated and authenticated users: • . • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 402
ProSecure Unified Threat Management (UTM) Appliance Figure 238. The List of Users table displays the users and has the following fields: • Check box. Allows you to select the user in the table. • Name. The name of the user. If the user name is appended by an asterisk, the user is a default user that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 403
User. User who can log in only to the SSL VPN portal. • IPSEC VPN User. User who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 308). • Guest User. User who can only - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 404
ProSecure Unified Threat Management (UTM) Appliance Set User Login Policies You can restrict the ability of defined users to log in to the UTM's web management interface. You can also require or prohibit logging in from certain IP addresses or from particular browsers. Note: User logon policies are - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 405
ProSecure Unified Threat Management (UTM) Appliance Configure Login Restrictions Based on IP Address To restrict logging in based on IP address: 1. Select Users > Users. The Users screen displays (see Figure 238 on page 402). 2. In the Action column of the List of Users table, click the Policies - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 406
ProSecure Unified Threat Management (UTM) Appliance 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 103. By Source IP Address screen settings Setting Description Source - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 407
ProSecure Unified Threat Management (UTM) Appliance Figure 242. 4. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table. • Allow Login only from Defined - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 408
users have read-only access. Note: The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 409
• IPSEC VPN User. User who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended a domain controller (DC) server that runs Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2008, you can use the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 410
ProSecure Unified Threat Management (UTM) Appliance Note: The DC agent does not function with LDAP domain users. The DC agent monitors all Windows login events (that is, all AD domain user authentications) on the DC server, and provides a mapping of Windows user names and IP addresses to the UTM, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 411
List of DC Agents table, click the Download/Install link to download the ProSecure DC Agent software (that is, the dc_agent.mis file). Follow the instructions of your browser to save the software file to your computer. 3. Install the ProSecure DC Agent software on each domain controller (DC) server - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 412
ProSecure Unified Threat Management (UTM) Appliance 4. On the DC Agent screen (see Figure 244 on page 411), complete the fields and make your selections from the drop-down lists as explained in the following table: Table 105. DC Agent screen settings Setting Description Domain From the Domain - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 413
ProSecure Unified Threat Management (UTM) Appliance b. Click the Add table button to add a domain. The Add Domain screen displays: Figure 246. c. Enter the following settings: • In the Domain Name field, enter Test_Domain. • From the Authentication Type drop-down list, select Active Directory. • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 414
ProSecure Unified Threat Management (UTM) Appliance 2. Add a DC agent on the UTM50: a. Select Users > DC Agent. The DC Agent screen displays: Figure 247. b. In the Domain field, enter Test_Domain. c. In the Action column, click Add. 3. Add the IP address of the UTM50 on the ProSecure DC Agent - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 415
ProSecure Unified Threat Management (UTM) Appliance Configure RADIUS VLANs You can use a RADIUS virtual LAN (VLAN) to set web access exceptions and provide an added layer of security. To do so, follow this procedure: 1. Specify a RADIUS server (see RADIUS Client and Server Configuration on page - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 416
ProSecure Unified Threat Management (UTM) Appliance 3. Click the Add table button. The new VLAN is added to the List of VLAN table. To delete a user from the List of VLAN table, click the Delete table button in the Action column for the VLAN that you want to delete. Configure Global User Settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 417
ProSecure Unified Threat Management (UTM) Appliance 4. Click Apply to save the session settings. 5. Locate the Users Portal Login Settings section on screen. Specify the default domain settings: • From the Default Domain drop-down list, select a domain that you previously configured on the Domain - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 418
ProSecure Unified Threat Management (UTM) Appliance To view all or selected users: 1. On the Active Users screen (see the previous figure), select one of the following radio buttons: • View All. This selection returns all active users after you click the Search button. • Search Criteria. Enter - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 419
ProSecure Unified Threat Management (UTM) Appliance The List of Users table displays the following fields: • IP Address. The IP address that is associated with the user. • Domain. The domain to which the user belongs. • User. The user name. • Groups. The groups to which the user belongs, if any. • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 420
certificate from NETGEAR. This certificate can be downloaded from the UTM login screen for browser import. However, NETGEAR recommends that the information is presented, the Certificates screen is divided and presented in this manual in three figures (Figure 253 on page 421, Figure 255 on page 423 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 421
ProSecure Unified Threat Management (UTM) Appliance • Active Self Certificates table. Contains the self-signed certificates that were issued by CAs and that you uploaded (see Manage Self-Signed Certificates on page 422). • Self Certificate Requests table. Contains the self-signed certificate - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 422
ProSecure Unified Threat Management (UTM) Appliance To upload a digital certificate of a trusted CA on the UTM: 1. Download a digital certificate file from a trusted CA and store it on your computer. 2. In the Upload Trusted Certificates section of the screen, click the Browse button and navigate - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 423
ProSecure Unified Threat Management (UTM) Appliance Generate a CSR and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first need to request the certificate from a CA, and then download and activate the certificate on the UTM. To request a self-signed certificate - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 424
ProSecure Unified Threat Management (UTM) Appliance 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 107. Generate self-signed certificate request settings Setting Description Name Subject A descriptive name of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 425
, copy the data from your saved text file (including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----"). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. 7. Download the digital certificate file from the CA, and store it on your - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 426
ProSecure Unified Threat Management (UTM) Appliance To delete one or more SCRs: 1. In the Self Certificate Requests table, select the check box to the left of each SCR that you want to delete, or click the Select All table button to select all SCRs. 2. Click the Delete table button. View and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 427
ProSecure Unified Threat Management (UTM) Appliance The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: • CA Identity. The official name of the CA that issued the CRL. • Last Update. The date when the CRL was released. • Next Update. The date when the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 428
and multiple WAN port models). 4000 Mbps (four LAN ports at 1000 Mbps each), except for the UTM50, which has six LAN ports and therefore supports up to 6000 Mbps. • WAN side - Load balancing mode (multiple WAN port models only). 2000 Mbps (two WAN ports at 1000 Mbps each), except for - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 429
are used to connect to the Internet. At 1.5 Mbps, the WAN ports support the following traffic rates: • Load balancing mode (multiple WAN port models only outbound rules (also referred to as service blocking) • DMZ WAN outbound rules (also referred to as service blocking) • Content filtering • Source - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 430
the various criteria that you can apply to outbound rules in order to reduce traffic. For more information about outbound rules, see Outbound Rules (Service Blocking) on page 129. For detailed procedures on how to configure outbound rules, see Configure LAN WAN Rules on page 139 and Configure DMZ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 431
and then apply them to outbound rules to regulate the priority of traffic. For information about how to define QoS profiles, see Create Quality of Service Profiles on page 169. • Traffic Meter profile. You can define traffic meter profiles and then apply them to outbound rules to measure traffic and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 432
ProSecure Unified Threat Management (UTM) Appliance - Web services blocking. You can block web services such as instant messaging, peer-to-peer and media applications, and tools. For more information, see Customize Web Protocol Scan Settings on page 210. - Web - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 433
or application does not display in the list, you need to define it using the Services screen (see Outbound Rules (Service Blocking) on page 129 and Add Customized Services on page 163). • WAN destination IP address. For the multiple WAN port models only, you can specify the destination IP address - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 434
server) and provide public access to them. On the UTM5, UTM10, UTM25, and UTM150, LAN port 4 can be dedicated as a hardware DMZ port to provide services safely to the Internet without compromising security on your LAN. On the UTM50, LAN port 6 can be dedicated as a hardware DMZ port. By default, the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 435
an Exposed Host on page 152. Configure VPN Tunnels The UTM supports site-to-site IPSec VPN tunnels and dedicated SSL VPN tunnels. Each The QoS profile settings determine the priority and, in turn, the quality of service for the traffic passing through the UTM. After you have created a QoS profile - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 436
Scan Signatures and Scan Engine Firmware • Configure Date and Time Service Change Passwords and Administrator and Guest Settings The default administrator guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 437
ProSecure Unified Threat Management (UTM) Appliance 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit User screen displays: Figure 259. 3. Select the Check to Edit Password check box. The password fields become available. 4. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 438
anyone who knows its IP address and default password. Because a malicious WAN user can reconfigure the UTM and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see Change Passwords and Administrator and Guest Settings on page - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 439
> Note: For enhanced security, restrict access to as few external IP addresses as practical. See Set User Login Policies on page 404 for instructions about restricting administrator access by IP address. Note: To maintain security, the UTM rejects a login that uses http://address rather than the SSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 440
on page 404). Note: If you disable HTTPS remote management, all SSL VPN user connections are also disabled. Tip: If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your UTM by running tracert from the Windows Run menu option. Trace the route - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 441
ProSecure Unified Threat Management (UTM) Appliance Figure 261. Network and System Management 441 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 442
Select the check boxes for the events for which SNMP traps should be sent: • WAN connection failure • Licenses status changed • Service status changed • Spam detected • Malware detected • Malware outbreak • IPS detected • IPS outbreak • WAN failover detected • User login failed • Traffic occurred - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 443
ProSecure Unified Threat Management (UTM) Appliance To configure the SNMPv3 settings: 1. Select Administration > SNMP. The SNMP screen displays (see Figure 261 on page 441). 2. In the SNMPv3 Settings section of the screen, click the Add table button to configure a new SNMPv3 user profile. The Add/ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 444
the events for which SNMP traps should be sent: • WAN connection failure • Traffic occurred • Licenses status changed • Component updated • Service status changed • System status changed • Spam detected • Dos attack detected • Malware detected • Port scan attack detected • Malware outbreak - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 445
ProSecure Unified Threat Management (UTM) Appliance The SNMPv3 Settings table shows the following columns: • User Name. The SNMPv3 user name. • Security Level. The level of security that indicates whether authentication and encryption are enabled: - NoAuth, NoPrivate. Both authentication and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 446
saves all UTM settings to a file. These settings include: • Network settings. IP address, subnet mask, gateway, and so on. • Scan settings. Services to scan, primary and secondary actions, and so on. • Update settings. Update source, update frequency, and so on. • Antispam settings. Whitelist - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 447
ProSecure Unified Threat Management (UTM) Appliance Restore Settings WARNING: Restore only settings that were backed up from the same software version. Restoring settings from a different software version can corrupt your backup file or the UTM system software. To restore settings from a backup - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 448
password is password, and the LAN IP address is 192.168.1.1. Update the Firmware The UTM can automatically detect a new firmware version from a NETGEAR update server. The firmware upgrade process for the UTM consists of the following four stages: 1. Querying the available firmware versions from the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 449
). 2. To see which other firmware versions are available, click Query under the Firmware Download section to allow the UTM to connect to the NETGEAR update server. The Firmware Download section shows the available firmware versions, including any new versions, and the date when the current firmware - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 450
ProSecure Unified Threat Management (UTM) Appliance To upgrade the UTM's firmware directly from an update server and reboot the UTM: 1. In the Firmware Download section of the Firmware screen, click Query to display the available firmware versions. 2. Select the radio button that corresponds to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 451
configuration and manually reconfigure your UTM after upgrading it. Refer to the firmware release notes that NETGEAR makes available. NETGEAR Support website at http://support.netgear.com, and navigate to the product support page. 2. Locate the available firmware versions. 3. Follow the instructions - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 452
ProSecure Unified Threat Management (UTM) Appliance To upgrade the UTM's firmware from a downloaded file and reboot the UTM: 1. In the Firmware Upload section of the Firmware screen, click Browse to locate and select the previously saved firmware upgrade file (for example, UTM50-Firmware-V3.3.0-17 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 453
the old firmware is now the secondary firmware. Note: In some cases, such as a major upgrade, it might be necessary to erase the configuration and manually reconfigure your UTM after upgrading it. Refer to the firmware release notes that NETGEAR makes available. Network and System Management 453 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 454
ProSecure Unified Threat Management (UTM) Appliance Reboot without Changing the Firmware To reboot the UTM without changing the firmware: 1. In the Firmware Reboot section of the Firmware screen (see the previous figure), select the active firmware version by selecting the Activation radio button - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 455
ProSecure Unified Threat Management (UTM) Appliance Figure 267. The Info section onscreen shows the following information fields for the scan engine firmware and pattern file: • Current Version. The version of the files. • Last Updated. The date of the most recent update. To update the scan engine - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 456
radio buttons: • Default update server. Files are updated from the default NETGEAR update server. • Server address. Files are updated from the server that you 2. Click Apply to save your settings. Configure Date and Time Service Configure date, time, and NTP server designations on the System Date - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 457
The bottom of the screen displays the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Thu May 21 01:37 are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 458
WAN ISP Settings screens of the multiple WAN port models (see Manually Configure the Internet Connection on page 75.) Connect to a ReadyNAS these storage requirements, you need to connect the UTM to a NETGEAR ReadyNAS and configure the quarantine settings. Without integration with a ReadyNAS, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 459
ProSecure Unified Threat Management (UTM) Appliance Log Storage After you have integrated a ReadyNAS with the UTM-whether or not you have configured the quarantine settings-all logs that are normally stored on the UTM are now stored on the ReadyNAS. That is, all logs that you can specify on the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 460
ProSecure Unified Threat Management (UTM) Appliance Figure 269. 2. To connect to the ReadyNAS, select the Yes radio button. 3. Enter the settings as explained in the following table: Table 112. ReadyNAS Integration screen settings Setting Description ReadyNAS Server The IP address of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 461
ProSecure Unified Threat Management (UTM) Appliance Figure 270. 2. To enable the UTM to quarantine files, select the Yes radio button. 3. Enter the settings as explained in the following table: Table 113. Quarantine settings Setting Allow anonymous users to check quarantined mails Description - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 462
11. Monitor System Access and Performance 11 This chapter describes the system-monitoring features of the UTM. You can be alerted to important events such as a WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 463
ProSecure Unified Threat Management (UTM) Appliance To monitor traffic limits on each of the WAN ports, and for the UTM9S and UTM25S, also on the xDSL (SLOT-1 or SLOT-2) and USB ports: 1. Select Network Config > WAN Metering. On the multiple WAN port models, the WAN Metering tabs display, with the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 464
ProSecure Unified Threat Management (UTM) Appliance Table 114. WAN traffic meter settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1? (multiple WAN port models) or Do you want to enable Traffic Metering on WAN? (single WAN port models) Select one of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 465
ProSecure Unified Threat Management (UTM) Appliance Table 114. WAN traffic meter settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the UTM performs when the traffic limit has been reached: • Block All - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 466
, the UTM logs security-related events such as accepted and dropped packets on different segments of your LAN, denied incoming and outgoing service requests, hacker probes and login attempts, content-filtering events such as attempts to access blocked sites and URLs, unwanted email content, spam - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 467
settings Setting Show as Mail Sender SMTP Server Description A descriptive name of the sender for email identification purposes. For example, enter [email protected]. The IP address and port number or Internet name and port number of your ISP's outgoing email SMTP server. The default - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 468
ProSecure Unified Threat Management (UTM) Appliance To configure and activate logs: 1. Select Monitoring > Logs & Reports. The Logs & Reports submenu tabs display, with the Email and Syslog screen in view: Figure 274. Monitor System Access and Performance 468 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 469
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 116. Email and Syslog screen settings Setting Description System Logs Option Select the check boxes to specify which system events are logged: • Change of Time by NTP. Logs a - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 470
Syslog screen settings (continued) Setting Description Enable (continued) Select Logs to • Send (continued) • Service Logs. All events that are related to the status of scanning and filtering services that you access from the Application Security main navigation menu. These events include - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 471
ProSecure Unified Threat Management (UTM) Appliance Table 116. Email and Syslog screen settings (continued) Setting Description Clear the Following Logs Information Select the check boxes to specify which logs are cleared. The Clear the Following Logs Information section of the screen lists the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 472
ProSecure Unified Threat Management (UTM) Appliance 3. Click Apply to save the settings. To change the remote IP address in the VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policy screen displays. 2. Next to the policy name for the Gateway 1-to-Gateway 2 autopolicy, click Edit. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 473
failure, malware attack, malware outbreak attack, intrusion prevention system (IPS) attack, or IPS outbreak attack occurs. Eight types of alerts are supported: • Traffic Meter Limit Alerts. Sent when the traffic meter (for LAN usage) exceeds a limit. • Update failure alert. Sent when an attempt - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 474
ProSecure Unified Threat Management (UTM) Appliance Figure 275. 2. Enter the settings as explained in the following table: Table 117. Alerts screen settings Setting Description Enable Traffic Select this check box to enable traffic meter limit alerts. This check box is cleared by Meter Limit - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 475
ProSecure Unified Threat Management (UTM) Appliance Table 117. Alerts screen settings (continued) Setting Description Enable Malware Alerts Select this check box to enable malware alerts, and fill in the Subject and Message fields. This check box is cleared by default. Subject Enter the subject - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 476
Profiles on page 171), or both, have been exceeded. Note: Enabling firewall logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. To configure and activate firewall logs: 1. Select Monitoring > Logs & Reports - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 477
with detected network threats, detected network traffic, and service statistics for the six supported protocols (HTTP, HTTPS, FTP, SMTP, POP3, of the size of the Dashboard screen, it is divided and presented in this manual in three figures (the following figure, Figure 278 on page 480, and Figure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 478
ProSecure Unified Threat Management (UTM) Appliance Figure 277. Dashboard, screen 1 of 3 To clear the statistics, click Clear Statistics. Monitor System Access and Performance 478 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 479
ProSecure Unified Threat Management (UTM) Appliance To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval drop-down list, select a new interval. The minimum is 5 seconds; the maximum is 5 minutes. 3. Click the Set Interval button. The following table explains the fields of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 480
ProSecure Unified Threat Management (UTM) Appliance Table 119. Dashboard screen: threats and traffic information (continued) Item Description Threats (Counts) This is a graphic that shows the relative number of threats and access violations over the last week, using different colors for the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 481
ProSecure Unified Threat Management (UTM) Appliance The following table explains the fields of the Most Recent 5 and Top 5 sections of the Dashboard screen: Table 120. Dashboard screen: most recent 5 threats and top 5 threats information Category Most recent 5 threats description Top 5 threats - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 482
. Dashboard, screen 3 of 3 The following table explains the fields of the Service Statistics section of the Dashboard screen: Table 121. Dashboard screen: service statistics information Item Description For each of the six supported protocols (HTTP, HTTPS, FTP, SMTP, POP3, and IMAP), this section - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 483
ProSecure Unified Threat Management (UTM) Appliance Table 121. Dashboard screen: service statistics information (continued) Item Total Spam Emails Description The total number of spam messages that were blocked. These statistics are applicable only to SMTP and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 484
ProSecure Unified Threat Management (UTM) Appliance Line chart icon Pie chart icon Figure 280. Monitor System Access and Performance 484 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 485
ProSecure Unified Threat Management (UTM) Appliance To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval drop-down list, select a new interval. The minimum is 30 seconds; the maximum is 20 minutes. 3. Click the Set Interval button. To set the monitoring period: From the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 486
memory, and hard disk status • ReadyNAS and quarantine status • Services status (indicating whether the protocols are scanned for malware) and the number of active connections per service • Firmware versions and update information of the UTM, software - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 487
ProSecure Unified Threat Management (UTM) Appliance View the System Status Screen To view the System Status screen, select Monitoring > System Status. The System Status tabs display, with the System Status screen in view: Figure 281. The following table explains the fields of the System Status - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 488
Active UDP connections The number of active connections that use TCP. Services The protocols for which scanning is enabled (ON or OFF is stated dates for the email protection and web protection licenses, the combined support and maintenance license, and the combined application control and IPS - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 489
ProSecure Unified Threat Management (UTM) Appliance available wireless access point, and has a Wireless Statistics option arrow in the upper right of the screen.) Figure 282. The UTM9S and UTM25S also show a table with available access points at the bottom of the Network Status screen: Figure 283. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 490
ProSecure Unified Threat Management (UTM) Appliance Table 124. Network Status screen fields (continued) Item SSID BSSID Profile Name Security Encryption Authentication Description The SSID of the wireless profile. The MAC address of the wireless radio, adjusted for each wireless profile. The name - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 491
ProSecure Unified Threat Management (UTM) Appliance To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 125. Router Statistics screen fields Item Description System up Time. The period since the last - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 492
ProSecure Unified Threat Management (UTM) Appliance The following table explains the fields of the Wireless Statistics screen. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 126. Wireless Statistics - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 493
ProSecure Unified Threat Management (UTM) Appliance View the Detailed Status Screen To view the Detailed Status screen, select Monitoring > System Status > Detailed Status. The Detailed Status screen displays. (The following figure shows the Detailed Status screen of the UTM50.) Figure 286. The - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 494
ProSecure Unified Threat Management (UTM) Appliance Figure 287. Detailed Status screen sections that are specific to the UTM9S and UTM25S Monitor System Access and Performance 494 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 495
80. Card Type (UTM9S and The configuration of the xDSL network module: VDSL or ADSL. UTM25S only) Daughter Card (UTM9S The type of supported annex on the xDSL network module: Annex A or Annex B and UTM25S only) (VDSL_ANNEXA, VDSL_ANNEXB, ADSL_ANNEXA, or ADSL_ANNEXB). Monitor System Access and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 496
is enabled. For information about connecting WAN ports, see Chapter 3, Manually Configure Internet and WAN Settings. NAT The NAT state can be a WAN port, see the ProSecure Unified Threat Management UTM Installation Guide. WAN Connection Type The detected type of Internet connection that is used - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 497
ProSecure Unified Threat Management (UTM) Appliance Table 127. Detailed Status screen fields (continued) Item Description MAC Address For the WAN or xDSL ports, this field displays the default MAC address or the MAC address that you have specified on the Advanced Options screen. For the USB - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 498
ProSecure Unified Threat Management (UTM) Appliance View the VLAN Status Screen The VLAN Status screen displays information about the VLANs (both enabled and disabled) that are configured on the UTM. For information about configuring VLAN profiles, see Configure a VLAN Profile on page 103. For - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 499
ProSecure Unified Threat Management (UTM) Appliance View the xDSL Statistics Screen (UTM9S and UTM25S Only) To view the xDSL Statistics screen, select Monitoring > System Status > xDSL Statistics. The xDSL Statistics screen displays: Figure 289. View the Active VPN Users The Active Users screen - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 500
ProSecure Unified Threat Management (UTM) Appliance View the VPN Tunnel Connection Status To review the status of current IPSec VPN tunnels, select Monitoring > Active Users & VPNs > IPSec VPN Connection Status. The IPSec VPN Connection Status screen displays: Figure 291. The Active IPSec SA(s) - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 501
ProSecure Unified Threat Management (UTM) Appliance Figure 292. The active user's user name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active user, click the Disconnect table button to the right of the user - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 502
ProSecure Unified Threat Management (UTM) Appliance The default poll interval is 5 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. To view the active L2TP tunnel users, select - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 503
ProSecure Unified Threat Management (UTM) Appliance Figure 295. 2. Select the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen displays in a pop-up screen. Figure 296. The Port Triggering Status screen displays the information that is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 504
ProSecure Unified Threat Management (UTM) Appliance View the WAN, xDSL, or USB Port Status You can view the status of the WAN connections, the DNS servers, and the DHCP servers. For the UTM9S and UTM25S, you can also view the status of the xDSL and USB ports. To view the status of a WAN, xDSL, or - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 505
more information, see the following sections: • For WAN ports, see Automatically Detecting and Connecting the Internet Connections on page 71 and Manually Configure the Internet Connection on page 75. • For the xDSL port (UTM9S and UTM25S only), see Automatically Detecting and Connecting the xDSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 506
box. Allows you to select the computer or device in the table. • Name. The name of the computer or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry Monitor System Access and Performance 506 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 507
clients of the UTM, this IP address does not change. If a computer or device is assigned a static IP address, you need to update this entry manually after the IP address on the computer or device has changed. • MAC Address. The MAC address of the computer or device's network interface. • Group. Each - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 508
on page 467). However, by default, many more types of events are logged in the system logs. • Service. All events that are related to the status of scanning and filtering services that you access from the Application Security main navigation menu. These events include update success messages, update - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 509
ProSecure Unified Threat Management (UTM) Appliance You can query and generate each type of log separately and filter the information based on a number of criteria. For example, you can filter the malware logs using the following criteria (other log types have similar filtering criteria): • Start - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 510
, that is, when you select System from the drop-down list, the System Logs screen displays. • Service Logs. All events that are related to the status of scanning and filtering services that you access from the Application Security main navigation menu. These events include update success messages - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 511
This field is available for the following logs: Traffic, Spam, System, Service, Malware, Email filters, Content filters, IPS, Anomaly Behavior, Application, Firewall Smart Block. End Date/Time From the drop-down lists, select the year, month, day, hours, and minutes for the end date and time. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 512
ProSecure Unified Threat Management (UTM) Appliance Table 134. Logs Query screen settings (continued) Setting Search Criteria (continued) Description Category or Categories From the drop-down list, select a category that is queried. You can select the following from the drop-down list: • For - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 513
that are used to indicate the syslog server severity: EMERG, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, and DEBUG. This field is available only for the Service log. URL The URL that is queried. This field is available only for the Content filters log. Content The user name, client IP address - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 514
. Note: After the UTM reboots, traffic logs are lost. Therefore, NETGEAR recommends that you connect the UTM to a syslog server to save the this 15-minute period are lost. For information about how to purge selected logs manually, see Configure and Activate System, Email, and Syslog Logs on page 467. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 515
ProSecure Unified Threat Management (UTM) Appliance Query the Quarantined Logs To query the quarantine logs: 1. Select Monitoring > Quarantine. The Quarantine screen displays. (The following figure shows the Spam log information settings as an example.) Depending on the selection that you make - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 516
for the selected log. Start Date/Time From the drop-down lists, select the year, month, day, hours, and minutes for the start date and time. This Spam and Malware logs. End Date/Time From the drop-down lists, select the year, month, day, hours, and minutes for the end date and time. This field - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 517
ProSecure Unified Threat Management (UTM) Appliance View and Manage the Quarantined Spam Table When you query the spam quarantine file, the Quarantine screen with the Quarantined Spam table displays: Figure 303. The Quarantined Spam table has the following columns (not all columns are shown in the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 518
ProSecure Unified Threat Management (UTM) Appliance After you have selected one or more table entries, take one of the following actions (or click the return link to return to the previous screen): • Send as Spam. The selected spam email files are tagged as spam for distributed spam analysis, and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 519
ProSecure Unified Threat Management (UTM) Appliance • Client IP. The client IP address from which the spyware or virus originated. • Server IP. The server IP address from which the spyware or virus originated. • From. The email address of the sender. • To. The email address of the recipient. • URL/ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 520
ProSecure Unified Threat Management (UTM) Appliance 2. Click the Check your quarantined mail link. The following screen displays: Figure 306. 3. From the drop-down lists, specify the start date, start time, end date, and end time for the spam report. 4. In the Send to field, enter an email address. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 521
the report (horizontal bar, pie, or vertical bar) Because of the nature of the Report screen, it is divided and presented in this manual in three figures that are explained in the following sections: • Report Filtering Options • Use Report Templates and View Reports Onscreen • Schedule, Email, and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 522
ProSecure Unified Threat Management (UTM) Appliance 2. Select the Enable Application Session Monitoring check box. By default, this check box is cleared. 3. Click Apply to save your changes. Report Filtering Options Before you generate reports to view onscreen or schedule reports to be emailed, you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 523
. You cannot save these settings. From the drop-down lists, specify the start year, month, day, and hour for the report. Note: By default, the beginning maximum time range is 31 days. From the drop-down lists, specify the end year, month, day, and hour for the report. Note: By default, the ending - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 524
ProSecure Unified Threat Management (UTM) Appliance 3. The next step depends on whether you want to view the report on screen or schedule it to be emailed: • Viewing onscreen. To view a filtered report onscreen, select a report by clicking View next to the report. (For more information, see the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 525
ProSecure Unified Threat Management (UTM) Appliance Figure 309. Report, screen 2 of 4 Note: For information about setting a time range and other filtering options for a report, see the previous section. 2. Select a report by clicking View next to the report to display the selected report onscreen - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 526
ProSecure Unified Threat Management (UTM) Appliance Table 137. Report screen: report template information (continued) Report template Information reported for the specified time range URL Filtering by Time For the HTTPS and HTTP protocols separately, a chart and a table with the number of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 527
ProSecure Unified Threat Management (UTM) Appliance Table 137. Report screen: report template information (continued) Report template Information reported for the specified time range Top n Categories By Request For all web server protocols combined, a chart and a table with the web categories - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 528
ProSecure Unified Threat Management (UTM) Appliance Table 137. Report screen: report template information (continued) Report template Top n Applications by Bandwidth Top n Users by Bandwidth Applications Bandwidth Usage by Time Users Bandwidth Usage by Time Email Activity Malware Incidents By Time - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 529
ProSecure Unified Threat Management (UTM) Appliance Table 137. Report screen: report template information (continued) Report template Blacklist By Time System Total Bandwidth Usage By Time Top n User By Bandwidth Total Malware Incidents By Time Top n Malwares Top n Infected Clients CPU & Mem Usage - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 530
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings in the Schedule Reports section as explained in the following table: Table 138. Report screen: schedule report settings Setting Description Schedule Reports Email Recipients Specify the email addresses of the report - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 531
ProSecure Unified Threat Management (UTM) Appliance Figure 311. Report, screen 4 of 4 The Report History section shows the generated and emailed reports with their report date and lets you perform the following actions. • Specify the number of reports to keep. To manage the number of reports that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 532
screen, select Monitoring > Diagnostics. To facilitate the explanation of the tools, the Diagnostics screen is divided and presented in this manual in three figures. Use the Network Diagnostic Tools This section discusses the Network Diagnostics section and the Perform a DNS Lookup section - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 533
screen, click Back on the browser menu bar. Display the Routing Table Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems. To display the routing table, locate the Network Diagnostics section on the Diagnostics screen. Next to Display the Routing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 534
the file has been downloaded successfully. 8. Optional: Send the file to NETGEAR technical support for analysis. Gather Important Log Information and Generate a Network Statistics Report When you request support, NETGEAR technical support might ask you to collect the debug logs and other information - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 535
ProSecure Unified Threat Management (UTM) Appliance Figure 314. Diagnostics, screen 3 of 4 Gather Important Log Information To gather log information about your UTM: 1. Locate the Gather Important Log Information section on the Diagnostics screen. Click Download Now. You are prompted to save the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 536
ProSecure Unified Threat Management (UTM) Appliance Perform Maintenance on the USB Device, Reboot the UTM, or Shut Down the UTM Note: The USB Device Maintenance section applies to the UTM9S and UMT25S only. This section discusses the USB Device Maintenance section and System Maintenance section of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 537
ProSecure Unified Threat Management (UTM) Appliance Note: Rebooting breaks any existing connections either to the UTM (such as your management session) or through the UTM (for example, LAN users accessing the Internet). However, when the reboot process is complete, connections to the Internet are - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 538
12 12. Troubleshoot and Use Online Support This chapter provides troubleshooting tips and information for the UTM. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the UTM on? Go to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 539
UTM and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR technical support. Test LED Never Turns Off When the UTM is powered on, the Test LED turns on for approximately 2 minutes and then - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 540
545. If the error persists, you might have a hardware problem and should contact NETGEAR technical support. LAN or WAN Port LEDs Not On If either the be standard straight-through Ethernet cables or Ethernet crossover cables. Troubleshoot the Web Management Interface If you cannot access the UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 541
of the WAN ISP Settings screens of the multiple WAN port models. For more information, see Manually Configure the Internet Connection on page 75. • If the computer is configured correctly, but still request was successful using the web management interface. Troubleshoot and Use Online Support 541 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 542
to an external site such as www.netgear.com. 2. Access the web management interface obtain an IP address from the ISP, the problem might be one of the following: • Your information. For more information, see Manually Configure the Internet Connection on page 75 Troubleshoot and Use Online Support 542 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 543
that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your problems: • Wrong physical connections: - Make sure that the LAN port LED is on. If the LED is off, follow the instructions in LAN or WAN Port LEDs Not On on page 540. Troubleshoot and Use Online Support - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 544
Domain Name field, and you might have to enter additional information. For more information, see Manually Configure the Internet Connection on page 75. • Your ISP could be rejecting the Ethernet MAC Address and Configure Advanced WAN Options on page 94. Troubleshoot and Use Online Support 544 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 545
you intend on using them. Note: After rebooting with factory default settings, the UTM's password is password, and the LAN IP address is 192.168.1.1. Troubleshoot and Use Online Support 545 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 546
Problems with Date and Time The System Date & Time screen displays the current date and time of day (see Configure Date and Time Service on Troubleshooting One of the advanced features that the UTM provides is online support through a support tunnel. With this feature, NETGEAR technical support - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 547
You can report any undetected malware file or malicious email to NETGEAR for analysis. The file is compressed and password-protected before it is sent. To submit a file to NETGEAR for analysis: 1. Select Support > Malware Analysis. The Online Support screen displays: Troubleshoot and Use Online - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 548
information that is relevant. 3. Click Submit. Access the Knowledge Base and Documentation To access NETGEAR's knowledge base for the UTM, select Support > Knowledge Base. To access NETGEAR's documentation library for your UTM model, select Support > Documentation. Troubleshoot and Use Online - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 549
Additional WAN-Related Configuration Tasks A UTM9S or UTM25S can simultaneously support a DSL WAN interface, Ethernet WAN interfaces, and a USB information about how to configure the Ethernet WAN interfaces, see Chapter 3, Manually Configure Internet and WAN Settings. • For information about how to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 550
to your ISP. During this phase, you connect to your ISP. See Automatically Detecting and Connecting the xDSL Internet Connection on page 553 or Manually Configure the xDSL Internet Connection on page 556. 3. Configure the WAN mode. Select either NAT or classical routing, and select dedicated (single - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 551
ProSecure Unified Threat Management (UTM) Appliance To configure the xDSL settings: 1. Select Network Config > WAN Settings. The WAN screen displays: Figure 319. Note: For more information about the WAN screen, see Automatically Detecting and Connecting the xDSL Internet Connection on page 553. 2. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 552
ProSecure Unified Threat Management (UTM) Appliance Figure 321. 4. Either click Auto Detect or, if you have the correct settings, enter the settings as explained in the following table: Table 140. xDSL settings Setting Description xDSL Settings DSL Transfer Mode Select one of the following DSL - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 553
interface provides the option to detect the network connection and configure the xDSL port automatically. You can also manually configure the Internet connection and port (see Manually Configure the xDSL Internet Connection on page 556). To configure the WAN port automatically for connection to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 554
ProSecure Unified Threat Management (UTM) Appliance You can set the failure detection method for the DSL interface on the corresponding WAN Advanced Options screen (see Configure Auto-Rollover Mode and the Failure Detection Method on page 563). • Action. The Edit button in the Action column of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 555
that your ISP is most likely to support. The autodetect process returns one of the results (for example, DHCP service detected). • If the autodetect process methods Connection method Manual data input required DHCP the WAN Mode on page 561, and Troubleshoot the ISP Connection on page 541. 4. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 556
in Set the UTM's MAC Address and Configure Advanced WAN Options on page 574. For information about troubleshooting, see Troubleshoot the ISP Connection on page 541. Manually Configure the xDSL Internet Connection Unless your ISP automatically assigns your configuration through DHCP, you need to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 557
ProSecure Unified Threat Management (UTM) Appliance Figure 325. 2. Click the Edit button in the Action column of the SLOT-x interface. The SLOT-x ISP Settings screen displays (see Figure 323 on page 554). 3. Locate the ISP Login section onscreen: Figure 326. In the ISP Login section, select one of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 558
ProSecure Unified Threat Management (UTM) Appliance 6. If your connection is Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Protocol over ATM (PPPoA), your ISP requires an initial login. Enter the settings as explained in the following table: Table 142. PPPoE and PPPoA settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 559
ProSecure Unified Threat Management (UTM) Appliance Table 143. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 560
ProSecure Unified Threat Management (UTM) Appliance Table 144. DNS server settings Setting Description Get Automatically from ISP Use These DNS Servers If your ISP has not assigned any Domain Name Server (DNS) addresses, select the Get Automatically from ISP radio button. If your ISP has - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 561
manual ISP configuration fails: You might need to change the MAC address as described in Set the UTM's MAC Address and Configure Advanced WAN Options on page 574. For information about troubleshooting, see Troubleshoot an xDSL network module is installed can support a DSL WAN interface, Ethernet WAN - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 562
that the backup interface has also been configured and that you configure the WAN failure detection method on the WAN Advanced Options screen to support auto-rollover (see Configure Auto-Rollover Mode and the Failure Detection Method on page 563). Whichever WAN mode you select, you also need to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 563
WAN interface that should function as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover. xDSL Network Module for the UTM9S and UTM25S 563 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 564
ProSecure Unified Threat Management (UTM) Appliance When the UTM9S or UTM25S is configured in auto-rollover mode, it uses the selected WAN failure detection method to detect the status of the primary link connection at regular intervals. Link failure is detected in one of the following ways: • DNS - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 565
DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure the xDSL Internet Connection on page 556). xDSL Network Module for the UTM9S and UTM25S 565 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 566
ProSecure Unified Threat Management (UTM) Appliance Table 145. Failure detection method settings (continued) Setting Custom DNS Ping Retry Interval is Failover after Description DNS queries are sent to the specified DNS server. DNS Server The IP address of the DNS server. Pings are sent to a - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 567
ProSecure Unified Threat Management (UTM) Appliance • Continuity of source IP address for secure connections. Some services, particularly HTTPS, cease to respond when a client's source IP address changes shortly after a session has been established. Configure Load Balancing To configure load - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 568
that are covered by the protocol binding rule. • Action. The Edit button provides access to the Edit Protocol Binding screen for the corresponding service. 2. Click the Add table button below the Protocol Bindings table. The Add Protocol Binding screen displays: xDSL Network Module for the UTM9S and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 569
settings as explained in the following table: Table 146. Add Protocol Binding screen settings Setting Service Description From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 570
firewall rule screens: • In the WAN Destination IP Address drop-down lists of the following inbound firewall rule screens: - Add LAN WAN Inbound Service screen - Add DMZ WAN Inbound Service screen • In the NAT IP drop-down lists of the following outbound firewall rule screens: - Add LAN WAN Outbound - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 571
ProSecure Unified Threat Management (UTM) Appliance For more information about firewall rules, see Overview of Rules to Block or Allow Specific Kinds of Traffic on page 128). It is important that you ensure that any secondary DSL addresses are different from the primary DSL, WAN, LAN, and DMZ IP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 572
, or click the Select All table button to select all addresses. 2. Click the Delete table button. Configure Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IP addresses to be located using Internet domain names. To use DDNS, you need to set up an account - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 573
WAN1, Load Balancing, or Auto Rollover). Only those options that match the configured WAN mode are accessible onscreen. 2. Click the submenu tab for your DDNS service provider: • Dynamic DNS for DynDNS.org (which is shown in the following figure) • DNS TZO for TZO.com • DNS Oray for Oray.net • 3322 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 574
: Host and Domain Name The host and domain name for the DDNS service. Username or User Email Address The user name or email address for not often change, you might need to force a periodic update to the DDNS service to prevent your account from expiring. If the Update every 30 days check box - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 575
ProSecure Unified Threat Management (UTM) Appliance Note: You can also configure the failure detection method for the auto-rollover mode on the Advanced Options screen for the DSL interface. This procedure is discussed in Configure the Failure Detection Method on page 565. IMPORTANT: Each computer - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 576
authentication. Use this MAC Address Select the Use this MAC Address radio button, and manually enter the MAC address in the field next to the radio button. You would , the UTM9S or UTM25S restarts, or services such as HTTP and SMTP might restart. xDSL Network Module for the UTM9S and UTM25S 576 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 577
the Ethernet WAN interfaces of the UTM9S or UTM25S (see Chapter 3, Manually Configure Internet and WAN Settings). • If you want the ability to Remote Management Access on page 438). If you enable remote management, NETGEAR strongly recommend that you change your password (see Change Passwords and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 578
B. Wireless Network Module for the UTM9S and UTM25S B This appendix describes how to configure the wireless features of the NMSWLSN wireless network module that you can install in a UTM9S or UTM25S. This appendix includes the following sections: • Overview of the Wireless Network Module • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 579
, an individual in-building wireless access point provides a maximum connectivity area of about a 500-foot radius. The wireless network module can support a small group of wireless users-typically 5 to 20 users. The wireless network module integrates a 2.4-GHz radio and a 5-GHz radio. One radio - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 580
the wireless network module. For complete performance specifications, see the data sheet on the ProSecure UTM series home page at http://prosecure.netgear.com/products/prosecure-utm-series/index.php. For best results, place your UTM9S or UTM25S according to the following general guidelines: • Near - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 581
ProSecure Unified Threat Management (UTM) Appliance Figure 339. 2. Specify the settings as explained the following table: Table 149. Radio Settings screen settings Field Region Country Operating Frequency Descriptions This is a preconfigured field that you cannot change. Specify a country by - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 582
ProSecure Unified Threat Management (UTM) Appliance Table 149. Radio Settings screen settings (continued) Field Mode Descriptions The wireless modes that you can select depend on the radio's operating frequency that you select. 2.4 GHz Specify the wireless mode in the 2.4-GHz band by making a - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 583
change the operating frequency (channel) unless you notice interference problems, or are setting up the UTM9S or UTM25S near another provides the least interference and best performance. In the United States and Canada, 11 channels are available in the 2.4-GHz operating frequency and 13 channels - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 584
ProSecure Unified Threat Management (UTM) Appliance • In infrastructure mode, wireless devices normally scan all channels, looking for a wireless access point. If more than one wireless access point can be used, the one with the strongest signal is used. This can happen only when the wireless access - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 585
of WPA2 make it virtually impossible to compromise. The wireless network module supports WPA+WPA2 with PSK, RADIUS, or a combination of PSK and on page 588. Note: TKIP provides only legacy (slower) rates of operation. NETGEAR recommends WPA2 with AES to make use of 802.11n rates and speed. Wireless - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 586
XP, Windows 2000 with Service Pack 3, and Windows Vista do include the client software that supports WPA. However, client software is required on the client. Consult the product documentation for your wireless adapter and WPA or WPA2 client software for instructions about configuring WPA2 settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 587
For a new wireless profile, print or copy the following form and fill in the settings. Store this information in a safe place: • SSID The service set identifier (SSID) identifies the wireless local area network. You can customize it by using up to 32 alphanumeric characters. Write your SSID on - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 588
ProSecure Unified Threat Management (UTM) Appliance Configure and Enable Wireless Profiles To add a wireless profile: 1. Select Network Config > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays: Figure 341. The following table explains the fields of the Wireless - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 589
ProSecure Unified Threat Management (UTM) Appliance Figure 342. 3. Specify the settings as explained in the following table: Table 151. Add Wireless Profiles screen settings Field Profile Configuration Profile Name Description The name for the wireless profile. For the UTM9S, the name of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 590
name (SSID) for the wireless profile. The default SSID name is netgear-1. You can change this name by entering up to 32 alphanumeric Select the encryption. - Enter a passphrase and generate a key, or enter a key manually. • WEP. To configure WEP, take the following steps in the WEP Index and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 591
ProSecure Unified Threat Management (UTM) Appliance Table 151. Add Wireless Profiles screen settings (continued) Field Description Encryption Note: WPA, WPA2, and WPA+WPA2 only. The encryption that you can select depends on the type of WPA security that you have selected: • WPA. You can select - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 592
clicking Generate. Specify the active key by selecting one of the four radio buttons. Only one key can be the active key. Either enter a key manually or generate the key automatically by clicking Generate. The length of the key depends on the selected encryption: • 64-bit WEP. A key length of - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 593
ProSecure Unified Threat Management (UTM) Appliance To edit a wireless profile: 1. On the Wireless Profiles screen (see Figure 341 on page 588), click the Edit button in the Action column for the wireless profile that you want to modify. The Edit Wireless Profile screen displays. This screen is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 594
ProSecure Unified Threat Management (UTM) Appliance Figure 343. Note: The default wireless profile with profile name UTM9S or UTM25S is referred to as virtual access point zero (VAP0). If you add more wireless profiles, they are referred to as VAP1, VAP2, and VAP3. 3. In the MAC Filter Configuration - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 595
ProSecure Unified Threat Management (UTM) Appliance WARNING: If you configure the wireless network module in the UTM9S or UTM25S from a wireless computer whose MAC address is not in the access control list, and if the ACL policy status is set to deny access, you lose your wireless connection when - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 596
expansion of a wireless network through two or more access points that are interconnected and that use the same radio channel and security mode. WDS is supported in any of the security modes (see Wireless Security Profiles on page 585). If you configure the access point for WEP, then WDS works in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 597
ProSecure Unified Threat Management (UTM) Appliance mixed encryption (TKIP+AES, which is supported in WPA and WPA+WPA2 security modes), WDS uses AES because it is the stronger encryption method. To configure WDS, you need to know the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 598
ProSecure Unified Threat Management (UTM) Appliance To configure WDS on a peer: 1. Configure the same wireless security that you have configured on the UTM9S or UTM25S. 2. Enter the MAC address of the UTM9S's or UTM25S's access point, which is displayed on the WDS Configuration screen of the UTM9S - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 599
ProSecure Unified Threat Management (UTM) Appliance 3. Specify the settings as explained in the following table: Table 153. Advanced Wireless screen settings Setting Beacon Interval Description Enter an interval between 20 ms and 100 ms for each beacon transmission, which allows the wireless - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 600
or audio, has a higher priority than normal traffic. For WMM to function correctly, wireless clients also need to support WMM. By enabling WMM, you allow Quality of Service (QoS) control for upstream traffic flowing from a wireless client to the UTM9S or UTM25S and for downstream traffic flowing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 601
ProSecure Unified Threat Management (UTM) Appliance Figure 347. 3. Select the Enable WMM check box. 4. Click Apply to save your settings. 5. In the DSCP to Queue table, from the drop-down lists, select a WMM queue for each DSCP value that you want to use in a QoS profile: • 4. The highest priority - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 602
Edit Profiles screen. If that does not help you to solve the connection problem, see Chapter 12, Troubleshoot and Use Online Support. For More Information About Wireless Configurations Visit http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and to become part - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 603
about how to configure the Ethernet WAN interfaces, see Chapter 3, Manually Configure Internet and WAN Settings. • For information about how to in the USB port on the front panel. A list of supported dongles is available at http://support.netgear.com/utmhcl. Generally, four steps, one of which is - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 604
ISP, and, only if necessary, modify the 3G/4G settings. See Manually Configure the USB Internet Connection on page 604. 2. Configure the 3G/4G appendix, the USB WAN interface is often referred to as the USB interface. Manually Configure the USB Internet Connection When you insert a 3G/4G dongle in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 605
ProSecure Unified Threat Management (UTM) Appliance To configure the WAN ISP settings for the USB interface: 1. Select Network Config > WAN Settings. The WAN screen displays: Figure 348. 2. Select WAN Mode 3. Click the Edit button in the Action column of the USB interface. The USB ISP Settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 606
Description 3G Dongle Details Card Type The card type is a fixed field that states 3G/4G. Enable 3G Service Select the Enable 3G Service check box to enable the 3G/4G service. Connection Settings Idle Timeout Select the Keep Connected radio button to keep the connection always on. To log - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 607
ProSecure Unified Threat Management (UTM) Appliance Table 154. USB ISP settings (continued) Setting Description Use These DNS Servers If your ISP has assigned DNS addresses, select the Use These DNS Servers radio button. Make sure that you fill in valid DNS server IP addresses in the fields. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 608
is required only if you cannot connect to your ISP. For example, if your ISP provides you information about a pay plan for the 3G/4G service, you might need to configure the 3G/4G settings. To configure the 3G/4G settings: 1. Select Network Config > WAN Settings. The WAN screen displays (see - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 609
ProSecure Unified Threat Management (UTM) Appliance 4. The information in the 3G Status section and SIM Card state section of the screen is automatically detected. If necessary, configure the connection settings as explained in the following table. Table 155. 3G/4G settings Setting Description - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 610
to the Internet. Configure the WAN Mode • Configure Network Address Translation • Configure Classical Routing A UTM9S or UTM25S in which a 3G/4G dongle is installed can support a USB WAN interface, Ethernet WAN interfaces, and a DSL interface. 3G/4G Dongles for the UTM9S and UTM25S 610 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 611
The UTM9S or UTM25S distributes the outbound traffic equally among the DSL, USB, and WAN interfaces that are functional. The UTM9S and UTM25S support weighted load balancing and round-robin load balancing (see Configure Load Balancing and Optional Protocol Binding on page 614). Note: Scenarios could - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 612
ProSecure Unified Threat Management (UTM) Appliance For information about how to configure the USB interface as a rollover link, see the following sections: • To configure the USB interface as the rollover link for a WAN interface, see Configure Load Balancing (Multiple WAN Port Models) on page 86. - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 613
ProSecure Unified Threat Management (UTM) Appliance Figure 352. 2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button. 3. Click Apply to save your settings. Configure Classical Routing In classical routing mode, the UTM9S and UTM25S perform routing, but - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 614
traffic can be routed through a WAN interface connected to a low-speed link. • Continuity of source IP address for secure connections. Some services, particularly HTTPS, cease to respond when a client's source IP address changes shortly after a session has been established. Configure Load Balancing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 615
icon. Indicates the status of the protocol binding rule: - Green circle. The protocol binding rule is enabled. - Gray circle. The protocol binding rule is disabled. • Service. The service or protocol for which the protocol binding rule is set up. • Local Gateway. The WAN interface to which the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 616
are covered by the protocol binding rule. • Action. The Edit button provides access to the Edit Protocol Binding screen for the corresponding service. 2. Click the Add table button below the Protocol Bindings table. The Add Protocol Binding screen displays: Figure 355. 3. Configure the protocol - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 617
ProSecure Unified Threat Management (UTM) Appliance Table 156. Add Protocol Binding screen settings (continued) Setting Description Destination Network The destination network settings determine which Internet locations (based on their IP address) are covered by the rule. Select one of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 618
, you do not know in advance what your IP address will be, and the address can change frequently-hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and forwards DNS requests for the resulting fully qualified domain name (FQDN) to your frequently - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 619
WAN1, Load Balancing, or Auto Rollover). Only those options that match the configured WAN mode are accessible onscreen. 2. Click the submenu tab for your DDNS service provider: • Dynamic DNS for DynDNS.org (which is shown in the following figure) • DNS TZO for TZO.com • DNS Oray for Oray.net • 3322 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 620
: Host and Domain Name The host and domain name for the DDNS service. Username or User Email Address The user name or email address for not often change, you might need to force a periodic update to the DDNS service to prevent your account from expiring. If the Update every 30 days check box - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 621
the Ethernet WAN interfaces of the UTM9S or UTM25S (see Chapter 3, Manually Configure Internet and WAN Settings). • If you want the ability to Remote Management Access on page 438). If you enable remote management, NETGEAR strongly recommend that you change your password (see Change Passwords and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 622
D D. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix does not apply to single WAN port models. This appendix contains the following sections: • What to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 623
Internet services such as cable or DSL broadband accounts, and locate the Internet service provider (ISP) configuration information. • In this manual, the to enable remote management locally after each factory default reset. NETGEAR strongly advises you to change the default management password to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 624
modems and a computer. Instructions for connecting the UTM are in the ProSecure Unified Threat Management UTM Installation Guide. Cabling and Computer on the UTM, you need to use a Java-enabled web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or later, Mozilla Firefox - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 625
a login name and password, then fill in the following: Login name Password Service name • Fixed or static IP address: If you have a static IP address been given host or domain names, you can use the following examples as a guide: - If your main email account with your ISP is [email protected], - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 626
Appliance • Fully qualified domain name: Some organizations use a fully qualified domain name (FQDN) from a Dynamic DNS service provider for their IP addresses. Dynamic DNS service provider FQDN: Overview of the Planning Process The areas that require planning when you use a firewall - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 627
Figure 359. Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP address of each WAN the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 628
can send incoming traffic to the exposed host when this feature is supported and enabled. In the single WAN case, the WAN's Internet address send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Inbound Traffic: Dual WAN Ports for Improved Reliability In - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 629
ProSecure Unified Threat Management (UTM) Appliance Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic. Figure - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 630
ProSecure Unified Threat Management (UTM) Appliance For a single WAN gateway configuration, use an FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is different in dual WAN port gateway configurations. • Dual WAN ports in - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 631
ProSecure Unified Threat Management (UTM) Appliance VPN Road Warrior: Single-Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote VPN client initiates the VPN tunnel because the IP address of the remote VPN client is not known in advance. The gateway WAN port - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 632
ProSecure Unified Threat Management (UTM) Appliance Figure 368. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote VPN client can determine the gateway IP address to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 633
ProSecure Unified Threat Management (UTM) Appliance VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an UTM to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway WAN ports • Redundant dual-gateway WAN ports for - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 634
ProSecure Unified Threat Management (UTM) Appliance Figure 371. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 635
ProSecure Unified Threat Management (UTM) Appliance Figure 373. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Telecommuter (Client-to-Gateway through a NAT Router) - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 636
ProSecure Unified Threat Management (UTM) Appliance The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional. VPN Telecommuter: Dual-Gateway WAN Ports for Improved Reliability In a - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 637
ProSecure Unified Threat Management (UTM) Appliance VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration, the remote VPN client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 638
information about integrating a ReadyNAS with a UTM, see the UTM ReadyNAS Integration Guide that you can access from http://downloadcenter.netgear.com. Supported ReadyNAS Models The following ReadyNAS models are supported for integration with the UTM: • ReadyNAS 1500 • ReadyNAS 2100 • ReadyNAS 3100 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 639
ProSecure Unified Threat Management (UTM) Appliance Install the UTM Add-On on the ReadyNAS To install the UTM add-on on the ReadyNAS: 1. Start a web browser. 2. In the address field, enter the IP address of the ReadyNAS, for example, enter https://192.168.168.168. The ReadyNAS web management - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 640
ProSecure Unified Threat Management (UTM) Appliance Figure 379. 7. Click Install. 8. Select Add-ons > Installed. Figure 380. 9. Select the UTM Connector check box to enable the UTM connection. ReadyNAS Integration 640 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 641
ProSecure Unified Threat Management (UTM) Appliance 10. Click Save. The status indicator shows green. Figure 381. Connect to the ReadyNAS on the UTM To connect to the ReadyNAS on the UTM: 1. Select Administration > ReadyNAS Integration. The ReadyNAS Integration screen displays: Figure 382. 2. To - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 642
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 160. ReadyNAS Integration screen settings Setting ReadyNAS Server Description The IP address of the ReadyNAS server. ReadyNAS Username ReadyNAS Password The user name to access - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 643
ProSecure Unified Threat Management (UTM) Appliance Figure 384. ReadyNAS Integration 643 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 644
and an example of how to implement the WiKID solution. This appendix contains the following sections: • Why Do I Need Two-Factor Authentication? • NETGEAR Two-Factor Authentication Solutions Why Do I Need Two-Factor Authentication? • What Are the Benefits of Two-Factor Authentication? • What Is Two - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 645
now can use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products. The WiKID solution is based been confirmed by the server. The request-response architecture supports self-service initialization by end users, dramatically reducing implementation and maintenance - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 646
ProSecure Unified Threat Management (UTM) Appliance Figure 385. 2. A one-time passcode (something the user has) is generated. Figure 386. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 647
ProSecure Unified Threat Management (UTM) Appliance Figure 387. Two-Factor Authentication 647 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 648
of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • System Log Messages • Service Logs • Content-Filtering and Security Logs • Routing Logs This appendix uses the log message terms that are described in the following - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 649
ProSecure Unified Threat Management (UTM) Appliance System Log Messages • System Startup • Reboot • NTP • Login/Logout • Firewall Restart • IPSec Restart • WAN Status • Traffic Metering Logs • Unicast, Multicast, and Broadcast Logs • Invalid Packet Logging This section describes log messages that - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 650
sec Nov 28 12:31:14 [UTM] [ntpdate] Synchronized time with time-f.netgear.com Nov 28 12:31:16 [UTM] [ntpdate] Date and Time Before Synchronization after 2 Hours Message 1: DNS resolution for the NTP server (time-f.netgear.com). Message 2: Request for NTP update from the time server. Message 3: - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 651
ProSecure Unified Threat Management (UTM) Appliance Firewall Restart This section describes logs that are generated when the firewall restarts. Table 166. System logs: firewall restart Message Explanation Recommended Action Jan 23 16:20:44 [UTM] [wand] [FW] Firewall Restarted Logs that are - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 652
ProSecure Unified Threat Management (UTM) Appliance This section describes the logs that are generated when the WAN mode is set to auto-rollover. Table 168. System logs: WAN status, auto rollover Message Explanation Recommended Action Nov 17 09:59:09 [UTM] [wand] [LBFO] WAN1 Test Failed 1 of 3 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 653
section describes the WAN PPP connection logs. The PPP type can be configured through the web management interface. For more information, see Manually Configure the Internet Connection on page 75. • PPPoE Idle Timeout logs Table 170. System logs: WAN status, PPPoE idle timeout Message 1 Message - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 654
ProSecure Unified Threat Management (UTM) Appliance Table 170. System logs: WAN status, PPPoE idle timeout (continued) Explanation Message 1: Establishment of the PPPoE connection starts. Message 2: A message from the PPPoE server indicating a correct login. Message 3: The authentication for PPP - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 655
ProSecure Unified Threat Management (UTM) Appliance • PPP Authentication logs Table 172. System logs: WAN status, PPP authentication Message 1 Message 2 Message 3 Message 4 Nov 29 11:29:26 [UTM] [pppd] Starting link Nov 29 11:29:29 [UTM] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [UTM - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 656
ProSecure Unified Threat Management (UTM) Appliance ICMP Redirect Logs This section describes logs that are generated when the UTM processes ICMP redirect messages. Table 175. System logs: unicast, redirect Message Explanation Recommended Action Feb 2007 22 14:36:07 [UTM] [kernel] [LOG_PACKET] - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 657
ProSecure Unified Threat Management (UTM) Appliance Table 177. System logs: invalid packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 658
are generated when a firmware update fails or succeeds. The message shows the date and time, and the event. Note: The service log includes miscellaneous service messages. None. Content-Filtering and Security Logs • Web Filtering and Content-Filtering Logs • Spam Logs • Traffic Logs • Malware Logs - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 659
ProSecure Unified Threat Management (UTM) Appliance • IPS Logs • Anomaly Behavior Logs • Application Logs This section describes the log messages that are generated by the content-filtering and security mechanisms. Web Filtering and Content-Filtering Logs This section describes logs that are - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 660
ProSecure Unified Threat Management (UTM) Appliance Table 179. Content-filtering and security logs: web filtering and content filtering (continued) Message Explanation Recommended Action 2009-08-01 00:00:01 HTTP ldap_domain ldap_user 192.168.1.3 192.168.35.165 http://192.168.35.165/testcases/ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 661
.zip radius_domain radius_user1 192.168.1.2 192.168.35.166 [email protected] [email protected] [MALWARE INFECTED] Fw: cleanvirus Virus logs for all services. The message shows the date and time, protocol, virus name, the action that is taken, file name, domain, user, client IP address, server - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 662
ProSecure Unified Threat Management (UTM) Appliance IPS Logs This section describes logs that are generated when traffic matches IPS rules. Table 184. Content-filtering and security logs: IPS Message Explanation Recommended Action 2008-12-31 23:59:37 drop TCP 192.168.1.2 3496 192.168.35.165 8081 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 663
ProSecure Unified Threat Management (UTM) Appliance Application Logs This section describes logs that are generated when the UTM filters application traffic. Table 186. Content-filtering and security logs: applications Message Explanation Recommended Action 2008-12-31 23:59:31 0 block 1 8800115 2 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 664
ProSecure Unified Threat Management (UTM) Appliance LAN-to-DMZ Logs This section describes logs that are generated when the UTM processes LAN-to-DMZ traffic. Table 188. Routing logs: LAN to DMZ Message Explanation Recommended Action Nov 29 09:44:06 [UTM] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 665
ProSecure Unified Threat Management (UTM) Appliance DMZ-to-LAN Logs This section describes logs that are generated when the UTM processes DMZ-to-LAN traffic. Table 191. Routing logs: DMZ to WAN Message Explanation Recommended Action Nov 29 09:44:06 [UTM] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 666
H H. Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the UTM in the following sections: • Default Settings • Physical and Technical Specifications Default Settings You can use the Factory Defaults reset - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 667
ProSecure Unified Threat Management (UTM) Appliance Table 193. UTM default configuration settings (continued) Feature WAN connections WAN MAC address WAN MTU size Port speed Dynamic DNS Local network (LAN) LAN IP address Subnet mask DHCP server DHCP starting IP address DHCP starting IP address - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 668
ProSecure Unified Threat Management (UTM) Appliance Table 193. UTM default configuration settings (continued) Feature Default behavior Firewall and network security Inbound LAN WAN rules (communications coming in All traffic is blocked, except for traffic in from the Internet) response to - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 669
ProSecure Unified Threat Management (UTM) Appliance Table 193. UTM default configuration settings (continued) Feature Application security SMTP POP3 IMAP Email content filtering Email whitelist and black list Email real-time blacklist Email distributed spam analysis HTTP HTTPS FTP Web content - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 670
ProSecure Unified Threat Management (UTM) Appliance Table 193. UTM default configuration settings (continued) Feature Default behavior Blocked keywords for Web traffic None Embedded Objects (ActiveX/Java/Flash) Allowed Javascript Allowed Proxy Allowed Cookies Allowed URL whitelist and - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 671
ProSecure Unified Threat Management (UTM) Appliance Table 193. UTM default configuration settings (continued) Feature Default behavior Authentication algorithm SHA-1 Authentication method Pre-shared Key Key group DH-Group 2 (1024 bit) Life time 8 hours VPN IPsec Wizard: VPN policy - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 672
America, Latin America, and The Caribbean. United States • Oceania. Australia Operating frequency 2.4 GHz or 5 GHz Default security profile netgear-1 Default network name (SSID) UTM9S or UTM25S Broadcast SSID Enabled Security Open Encryption None Authentication None Default transmit - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 673
ProSecure Unified Threat Management (UTM) Appliance Physical and Technical Specifications The following table shows the physical and technical specifications for the UTM: Table 194. UTM physical and technical specifications Feature Network protocol and standards compatibility Data and Routing - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 674
IPSec authentication algorithm SHA-1, MD5 IPSec key exchange IKE, manual key, pre-shared key, PKI, X.500 IPSec authentication types Local user database, RADIUS PAP, RADIUS CHAP IPSec certificates supported CA certificate, self-signed certificate Default Settings and Technical Specifications - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 675
Management Web-based configuration and status monitoring Number of concurrent users supported The number of supported dedicated SSL VPN tunnels depends on the model (see NETGEAR's documentation at http://prosecure.netgear.com). SSL versions SSLv3, TLS1.0 SSL encryption algorithm DES, 3DES - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 676
ProSecure Unified Threat Management (UTM) Appliance Table 197. Wireless specifications UTM9S and UTM25S wireless network module (continued) Feature Description 802.11a/na wireless specifications 802.11a data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps, and autorate capable 802.11na data rates ( - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 677
Country. Therefore, all options described in this user's guide may not be available in your version of the This product does not contain any user serviceable components and is to be used with antenna or transmitter. FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 678
in accordance with the instructions, may cause harmful unless expressly approved by NETGEAR, Inc., could void conforme à la norme NMB-003 du Canada. European Union The ProSecure Unified Threat EC and Low Voltage Directive 2006/95/EC as supported by applying the following test methods and standards: • - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 679
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 680
ProSecure Unified Threat Management (UTM) Appliance MD5 PPP Zlib Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 681
particular Region or Country. Therefore, all options described in this user's guide may not be available in your version of the product. Europe - Ghz), EN60950-1 For the complete EU Declarations of Conformity, visit http://support.netgear.com/app/answers/detail/a_id/11621. EDOC in Languages of the - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 682
Radiolan in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Malti [Maltese] Hawnhekk, NETGEAR Inc., jiddikjara li dan Radiolan jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. Magyar - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 683
sem gerðar eru í tilskipun 1999/5/EC. Norsk [Norwegian] NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med public access to telecommunications and/or network services. This device may not be used for Radio Frequency Interference Warnings & Instructions This equipment has been tested - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 684
MHz and these radars could cause interference and/or damage to LE-LAN devices. Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit pas produire de - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 685
ProSecure Unified Threat Management (UTM) Appliance Interference Reduction Table The following table shows the recommended minimum distance between NETGEAR equipment and household appliances to reduce interference (in feet and meters). Household Appliance Microwave ovens Baby Monitor - Analog Baby - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 686
DSL settings 572-574 USB settings 618-620 WAN settings 91-93 3G service, enabling 606 3G/4G dongles, supported 603 64-, 128-, and 256-bit WEP 592 802.11a/b/bg/ 341, 361 AD (Active Directory) described 379, 384-388 manual configuration 391 SSL VPN Wizard 344 address reservation 116 Address Resolution - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 687
446 bandwidth capacity 428-429 bandwidth limits, logging dropped packets 477 bandwidth profiles creating 171-174 shifting traffic mix 435 basic service set (BSS) 586 basic service set identifier (BSSID) 586 beacon interval, radio 599 best effort traffic, WMM QoS 600 blacklist emails 203 URLs 226 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 688
authentication 228 commercial CAs 232, 420 CRL 421, 426 CSR 423 exchange 228 NETGEAR default 233 overview 419 PKCS12 format 233 self-signed 231, 420, 422 423 CTS (Clear to Send) packets and self protection, radio 599 custom services, firewall 163 D Data Encryption Standard (DES) 297, 306-307, 315 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 689
troubleshooting settings 546 DC (domain controller) agent, configuring 409-414 DDNS (dynamic DNS), configuring DSL settings 572 USB settings 618 WAN settings 91 DDoS (distributed denial-of-service 43 MTU 95, 576 NETGEAR certificate 233 password 43, supported 603 DoS (denial of service) advanced IPS settings - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 690
309 EICAR test file 68 electronic licensing 67 email notification server configuring manually 466 settings, using the Setup Wizard 62 SMTP server 62 emails blocking 673 error messages and log messages, understanding 648 ESS (extended service set) 586 Ethernet ports 25-28 exceptions for web access, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 691
19 QoS profiles 169 rules numbers and types supported 129 order of precedence 138 See also inbound service groups 165 VPN policies 394 web access exceptions, applying to groups 253 guest access, wireless 602 guests, user account 401-403 GUI (graphical user interface) described 44 troubleshooting - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 692
initial connection 41 installation guide 41 installation, verifying 607 WAN settings 78 form, saving information 625 manually configuring DSL settings 556 USB settings 604 WAN settings . Internet Message Access Protocol. See IMAP. Internet Service Provider. See ISP. intrusion prevention system. See - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 693
272 default settings 670-671 described 21 gateway-to-gateway tunnels, setting up 266 IPSec VPN. See VPN tunnels. ISAKMP identifier 293, 297 ISP connection, troubleshooting 541 gateway IP address DSL settings 559 WAN settings 54, 78 login DSL settings 557 WAN settings 52, 75 J Java 218, 222 K keep - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 694
, VLAN 498 memory usage 487 Message-Digest algorithm 5. See MD5. metering WAN traffic 462 metric, static routes 122 MIAS (Microsoft Internet Authentication Service) described 379 MIAS-CHAP and MIAS-PAP 344, 391 Microsoft Point-to-Point Encryption (MPPE) 333 misclassification of URLs 224 ModeConfig - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 695
NetBIOS, VPN tunnels 304, 330 NETGEAR registration server 24 network authentication, wireless troubleshooting 546 O objects, embedded 222 offline upgrade, firmware 451 one-time passcode (OTP) 644-646 online documentation 548 support overview 129 reducing traffic 429 service blocking 129 settings 130 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 696
Internet ports 157 responding on LAN ports 158 troubleshooting TCP/IP 543 using the ping utility 532 PKCS12 300 groups, configuring 394 managing 291 manually generated 300 SSL VPN managing 371 port membership, VLANs 105 port numbers customized services 163 port triggering 183 SSL VPN port forwarding - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 697
settings 87-88 protocols compatibilities 673 emails 194 RIP 21 service numbers 163 setting access exceptions 256 supported 17 traffic volume by protocol 465 web 210 proxies for region, radio 581 registering with NETGEAR 65 registration information 24 regulatory compliance major requirements 674 697 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 698
wired products 677-680 relay gateway 50, 106, 119 Remote Authentication Dial In User Service. See RADIUS. remote management access 438 troubleshooting 440 remote troubleshooting, enabling 546 remote users, assigning addresses (ModeConfig) 312 reports administrator emailing options 530 email - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 699
19, 127 split tunnel 365 spoofing MAC addresses 542 SSIDs (service set identifiers) assigning a name and broadcasting 590 broadcasting and period 368 logs 357, 470, 508-510 Mac SSL VPN connection 377 manual configuration steps 357 network resources 369 overview 19 policies managing 371 settings 374 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 700
manually ) 45 support online 546 technical 2 suspicious files, sending to NETGEAR 547 SYN network, troubleshooting 543 settings 49 technical specifications 673 technical support 2 temperatures 508-510 traffic statistics 479 ToS (Type of Service) inbound rules, QoS profile 137 outbound rules, - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 701
Control Protocol (TCP) 184 transmit power, radio 583 Transport Layer Security (TLS) 345, 392 traps, SNMP 442 trial period, service licenses 65 troubleshooting basic functioning 539 browsers 540 configuration settings, using sniffer 540 date and time settings 546 defaults 541 ISP connection 541 LEDs - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 702
VoIP (voice over IP) traffic ALG and SIP 161 WMM QoS 600 VPN (virtual path identifier) 553 VPN client Configuration Wizard, using 276 configuring manually 280 Mode Config tunnel, opening 326 Mode Config, configuring 319 tunnel, opening 287 VPN IPSec Wizard. See IPSec VPN Wizard. VPN SSL Wizard 21 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 703
web filtering executable, audio, video, and compressed files 222, 256 web management interface described 44 troubleshooting 540 web objects, blocking 218, 222 web protection See FTP. See HTTP. See HTTPS. and configuring 588-592 security options described 584-587 wireless service, 3G/4G 608 703 - Netgear UTM25EW-100NAS | Reference Manual 3.0.1-124 - Page 704
ProSecure Unified Threat Management (UTM) Appliance wireless specifications 675 Wizards Setup Wizard 47 IPSec VPN. See IPSec VPN Wizard. SSL VPN. See SSL VPN Wizard. WMM (Wi-Fi Multimedia) power saving, radio 599 priority 600 WPA (Wi-Fi protected access), WPA2, and mixed mode configuring 590-592
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
 |
 |
350 East Plumeria Drive
San Jose, CA 95134
USA
October 2012
202-10780-03
v1.0
ProSecure Unified Threat
Management (UTM)
Appliance
Reference Manual