Home » Netgear Manuals » Network Security & Firewall Devices » Netgear UTM25S » Manual Viewer

Netgear UTM25S Reference Manual 3.0.1-124 - Page 229

Manage SSL Certificates, for HTTPS Scanning, Specify Trusted Hosts for HTTPS Scanning

Add to My Manuals
Save this manual to your list of manuals

Page 229 highlights

ProSecure Unified Threat Management (UTM) Appliance During SSL authentication, the HTTPS client authenticates three items: • Is the SSL certificate trusted? • Has the SSL certificate expired? • Does the name on the SSL certificate match that of the website? If one of these items is not authenticated, a security alert message displays in the browser window: Figure 124. However, even when a certificate is trusted or still valid, or when the name of a certificate does match the name of the website, a security alert message still displays when a user who is connected to the UTM visits an HTTPS site. The appearance of this security alert message is expected behavior because the HTTPS client receives a certificate from the UTM instead of directly from the HTTPS server. If you want to prevent this security alert message from displaying, install a root certificate on the client computer. The root certificate can be downloaded from the UTM's Manager Login screen (see Figure 20 on page 43). If client authentication is required, the UTM might not be able to scan the HTTPS traffic because of the nature of SSL. SSL has two parts-client and server authentication. HTTPS server authentication occurs with every HTTPS request, but HTTPS client authentication is not mandatory, and rarely occurs. Therefore it is of less importance whether the HTTPS request comes from the UTM or from the real HTTPS client. However, certain HTTPS servers do require HTTPS client certificate authentication for every HTTPS request. Because of the design of SSL, the HTTPS client needs to present its own certificate in this situation rather than using the one from the UTM, preventing the UTM from scanning the HTTPS traffic. For information about certificates, see Manage SSL Certificates for HTTPS Scanning on page 231. You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning. For more information, see Specify Trusted Hosts for HTTPS Scanning on page 235. Content Filtering and Optimizing Scans 229

Section	Page
ProSecure Unified Threat Management (UTM) Appliance	1
Contents	5
1. Introduction	15
What Is the ProSecure Unified Threat Management (UTM) Appliance?	15
Key Features and Capabilities	16
Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing	17
Wireless Features	18
DSL Features	18
Advanced VPN Support for Both IPSec and SSL	18
A Powerful, True Firewall	19
Stream Scanning for Content Filtering	19
Security Features	20
Autosensing Ethernet Connections with Auto Uplink	20
Extensive Protocol Support	21
Easy Installation and Management	21
Maintenance and Support	22
Model Comparison	22
Service Registration Card with License Keys	23
Package Contents	24
Hardware Features	24
Front Panel UTM5 and UTM10	25
Front Panel UTM25	26
Front Panel UTM50	26
Front Panel UTM150	27
Front Panel UTM9S and UTM25S and Network Modules	28
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150	30
LED Descriptions, UTM9S, UTM25S, and their Network Modules	32
Rear Panel UTM5, UTM10, and UTM25	33
Rear Panel UTM50 and UTM150	34
Rear Panel UTM9S and UTM25S	35
Bottom Panels with Product Labels	36
Choose a Location for the UTM	39
Use the Rack-Mounting Kit	40
2. Use the Setup Wizard to Provision the UTM in Your Network	41
Steps for Initial Connection	41
Qualified Web Browsers	42
Requirements for Entering IP Addresses	42
Log In to the UTM	42
Web Management Interface Menu Layout	44
Use the Setup Wizard to Perform the Initial Configuration	47
Setup Wizard Step 1 of 10: LAN Settings	48
Setup Wizard Step 2 of 10: WAN Settings	51
Setup Wizard Step 3 of 10: System Date and Time	54
Setup Wizard Step 4 of 10: Services	55
Setup Wizard Step 5 of 10: Email Security	57
Setup Wizard Step 6 of 10: Web Security	58
Setup Wizard Step 7 of 10: Web Categories to Be Blocked	60
Setup Wizard Step 8 of 10: Email Notification	62
Setup Wizard Step 9 of 10: Signatures & Engine	63
Setup Wizard Step 10 of 10: Saving the Configuration	64
Register the UTM with NETGEAR	65
Use the Web Management Interface to Activate Licenses	65
Electronic Licensing	67
Automatic Retrieval of Licenses after a Factory Default Reset	67
Verify Correct Installation	68
Test Connectivity	68
Test HTTP Scanning	68
What to Do Next	68
3. Manually Configure Internet and WAN Settings	70
Internet and WAN Configuration Tasks	71
Automatically Detecting and Connecting the Internet Connections	71
Manually Configure the Internet Connection	75
Configure the WAN Mode	80
Overview of the WAN Modes	80
Configure Network Address Translation (All Models)	81
Configure Classical Routing (All Models)	82
Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models)	82
Configure Load Balancing and Optional Protocol Binding (Multiple WAN Port Models)	85
Configure Secondary WAN Addresses	89
Configure Dynamic DNS	91
Set the UTM’s MAC Address and Configure Advanced WAN Options	94
Additional WAN-Related Configuration Tasks	97
4. LAN Configuration	98
Manage Virtual LANs and DHCP Options	98
Port-Based VLANs	99
Assign and Manage VLAN Profiles	100
VLAN DHCP Options	101
Configure a VLAN Profile	103
Configure VLAN MAC Addresses and Advanced LAN Settings	108
Configure Multihome LAN IP Addresses on the Default VLAN	109
Manage Groups and Hosts (LAN Groups)	111
Manage the Network Database	112
Change Group Names in the Network Database	115
Set Up Address Reservation	116
Configure and Enable the DMZ Port	117
Manage Routing	121
Configure Static Routes	121
Configure Routing Information Protocol	123
Static Route Example	126
5. Firewall Protection	127
About Firewall Protection	127
Administrator Tips	128
Overview of Rules to Block or Allow Specific Kinds of Traffic	128
Outbound Rules (Service Blocking)	129
Inbound Rules (Port Forwarding)	133
Order of Precedence for Rules	138
Configure LAN WAN Rules	139
Create LAN WAN Outbound Service Rules	140
Create LAN WAN Inbound Service Rules	141
Configure DMZ WAN Rules	142
Create DMZ WAN Outbound Service Rules	144
Create DMZ WAN Inbound Service Rules	144
Configure LAN DMZ Rules	145
Create LAN DMZ Outbound Service Rules	147
Create LAN DMZ Inbound Service Rules	147
Examples of Firewall Rules	148
Inbound Rule Examples	148
Outbound Rule Example	153
Configure Other Firewall Features	154
VLAN Rules	154
Attack Checks, VPN Pass-through, and Multicast Pass-through	157
Set Session Limits	160
Manage the Application Level Gateway for SIP Sessions and VPN Scanning	161
Create Services, QoS Profiles, Bandwidth Profiles, and Traffic Meter Profiles	162
Add Customized Services	163
Create Service Groups	165
Create IP Groups	167
Create Quality of Service Profiles	169
Create Bandwidth Profiles	171
Create Traffic Meter Profiles	174
Set a Schedule to Block or Allow Specific Traffic	177
Enable Source MAC Filtering	179
Set Up IP/MAC Bindings	181
Configure Port Triggering	183
Configure Universal Plug and Play	186
Enable and Configure the Intrusion Prevention System	187
6. Content Filtering and Optimizing Scans	192
About Content Filtering and Scans	192
Default Email and Web Scan Settings	193
Configure Email Protection	194
Customize Email Protocol Scan Settings	194
Customize Email Antivirus and Notification Settings	196
Email Content Filtering	199
Protect Against Email Spam	202
Configure Web and Services Protection	210
Customize Web Protocol Scan Settings	210
Configure HTTPS Smart Block	212
Configure Web Malware or Antivirus Scans	216
Configure Web Content Filtering	218
Configure Web URL Filtering	224
Configure HTTPS Scanning and SSL Certificates	228
How HTTPS Scanning Works	228
Configure the HTTPS Scan Settings	230
Manage SSL Certificates for HTTPS Scanning	231
Specify Trusted Hosts for HTTPS Scanning	235
Configure the SSL Settings for HTTPS Scanning	237
Configure FTP Scanning	238
Customize FTP Antivirus Settings	238
Configure FTP Content Filtering	239
Configure Application Control	240
Set Exception Rules for Web and Application Access	248
Create Custom Categories for Exceptions for Web and Application Access	258
Set Scanning Exclusions for IP Addresses and Ports	262
7. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections	264
Considerations for Dual WAN Port Systems (Multiple WAN Port Models Only)	264
Use the IPSec VPN Wizard for Client and Gateway Configurations	266
Create Gateway-to-Gateway VPN Tunnels with the Wizard	266
Create a Client-to-Gateway VPN Tunnel	271
Test the Connection and View Connection and Status Information	287
Test the NETGEAR VPN Client Connection	287
NETGEAR VPN Client Status and Log Information	289
View the UTM IPSec VPN Connection Status	289
View the UTM IPSec VPN Log	290
Manage IPSec VPN and IKE Policies	291
Manage IKE Policies	292
Manage VPN Policies	300
Configure Extended Authentication (XAUTH)	308
Configure XAUTH for VPN Clients	309
User Database Configuration	310
RADIUS Client and Server Configuration	310
Assign IP Addresses to Remote Users (Mode Config)	312
Mode Config Operation	312
Configure Mode Config Operation on the UTM	312
Configure the ProSafe VPN Client for Mode Config Operation	319
Test the Mode Config Connection	326
Modify or Delete a Mode Config Record	327
Configure Keep-Alives and Dead Peer Detection	328
Configure Keep-Alives	328
Configure Dead Peer Detection	329
Configure NetBIOS Bridging with IPSec VPN	330
Configure the PPTP Server	331
View the Active PPTP Users	333
Configure the L2TP Server	334
View the Active L2TP Users	336
For More IPSec VPN Information	336
8. Virtual Private Networking Using SSL Connections	337
SSL VPN Portal Options	337
Build a Portal Using the SSL VPN Wizard	338
SSL VPN Wizard Step 1 of 6 (Portal Settings)	339
SSL VPN Wizard Step 2 of 6 (Domain Settings)	342
SSL VPN Wizard Step 3 of 6 (User Settings)	347
SSL VPN Wizard Step 4 of 6 (Client IP Addresses and Routes)	348
SSL VPN Wizard Step 5 of 6 (Port Forwarding)	350
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings)	351
Access the New SSL VPN Portal	353
View the UTM SSL VPN Connection Status	356
View the UTM SSL VPN Log	357
Manually Configure and Modify SSL Portals	357
Manually Create or Modify the Portal Layout	359
Configure Domains, Groups, and Users	362
Configure Applications for Port Forwarding	363
Configure the SSL VPN Client	365
Use Network Resource Objects to Simplify Policies	369
Configure User, Group, and Global Policies	371
For More SSL VPN Information	377
9. Manage Users, Authentication, and VPN Certificates	378
Authentication Process and Options	378
Configure Authentication Domains, Groups, and Users	380
Login Portals	380
Active Directories and LDAP Configurations	384
Configure Domains	388
Configure Groups	394
Configure Custom Groups	397
Configure User Accounts	401
Set User Login Policies	404
Change Passwords and Other User Settings	408
DC Agent	409
Configure RADIUS VLANs	415
Configure Global User Settings	416
View and Log Out Active Users	417
Manage Digital Certificates for VPN Connections	419
VPN Certificates Screen	420
Manage CA Certificates	421
Manage Self-Signed Certificates	422
Manage the Certificate Revocation List	426
10. Network and System Management	428
Performance Management	428
Bandwidth Capacity	428
Features That Reduce Traffic	429
Features That Increase Traffic	432
Use QoS and Bandwidth Assignments to Shift the Traffic Mix	435
Monitoring Tools for Traffic Management	436
System Management	436
Change Passwords and Administrator and Guest Settings	436
Configure Remote Management Access	438
Use a Simple Network Management Protocol Manager	440
Manage the Configuration File	445
Update the Firmware	448
Update the Scan Signatures and Scan Engine Firmware	454
Configure Date and Time Service	456
Connect to a ReadyNAS and Configure Quarantine Settings	458
Log Storage	459
Connect to a ReadyNAS	459
Configure the Quarantine Settings	460
11. Monitor System Access and Performance	462
Enable the WAN Traffic Meter	462
Configure Logging, Alerts, and Event Notifications	466
Configure the Email Notification Server	466
Configure and Activate System, Email, and Syslog Logs	467
How to Send Syslogs over a VPN Tunnel between Sites	471
Configure and Activate Update Failure and Attack Alerts	473
Configure and Activate Firewall Logs	476
Monitor Real-Time Traffic, Security, and Statistics	477
Monitor Application Use in Real Time	483
View Status Screens	486
View the System Status	486
View the Active VPN Users	499
View the VPN Tunnel Connection Status	500
View the Active PPTP and L2TP Users	501
View the Port Triggering Status	502
View the WAN, xDSL, or USB Port Status	504
View Attached Devices and the DHCP Leases	505
Query and Manage the Logs	507
Overview of the Logs	508
Query and Download Logs	509
Example: Use the Logs to Identify Infected Clients	513
Log Management	514
Query and Manage the Quarantine Logs	514
Query the Quarantined Logs	515
View and Manage the Quarantined Spam Table	517
View and Manage the Quarantined Infected Files Table	518
Spam Reports for End Users	519
View, Schedule, and Generate Reports	520
Enable Application Session Monitoring	521
Report Filtering Options	522
Use Report Templates and View Reports Onscreen	524
Schedule, Email, and Manage Reports	529
Use Diagnostics Utilities	531
Use the Network Diagnostic Tools	532
Use the Real-Time Traffic Diagnostics Tool	533
Gather Important Log Information and Generate a Network Statistics Report	534
Perform Maintenance on the USB Device, Reboot the UTM, or Shut Down the UTM	536
12. Troubleshoot and Use Online Support	538
Basic Functioning	539
Verify the Correct Sequence of Events at Startup	539
Power LED Not On	539
Test LED Never Turns Off	539
LAN or WAN Port LEDs Not On	540
Troubleshoot the Web Management Interface	540
When You Enter a URL or IP Address, a Time-Out Error Occurs	541
Troubleshoot the ISP Connection	541
Troubleshoot a TCP/IP Network Using a Ping Utility	543
Test the LAN Path to Your UTM	543
Test the Path from Your Computer to a Remote Device	544
Restore the Default Configuration and Password	545
Problems with Date and Time	546
Use Online Support	546
Enable Remote Troubleshooting	546
Send Suspicious Files to NETGEAR for Analysis	547
Access the Knowledge Base and Documentation	548
A. xDSL Network Module for the UTM9S and UTM25S	549
xDSL Network Module Configuration Tasks	550
Configure the xDSL Settings	550
Automatically Detecting and Connecting the xDSL Internet Connection	553
Manually Configure the xDSL Internet Connection	556
Configure the WAN Mode	561
Overview of the WAN Modes	561
Configure Network Address Translation	562
Configure Classical Routing	563
Configure Auto-Rollover Mode and the Failure Detection Method	563
Configure Load Balancing and Optional Protocol Binding	566
Configure Secondary WAN Addresses	570
Configure Dynamic DNS	572
Set the UTM’s MAC Address and Configure Advanced WAN Options	574
Additional WAN-Related Configuration Tasks	577
B. Wireless Network Module for the UTM9S and UTM25S	578
Overview of the Wireless Network Module	579
Configuration Order	579
Wireless Equipment Placement and Range Guidelines	579
Configure the Basic Radio Settings	580
Operating Frequency (Channel) Guidelines	583
Wireless Data Security Options	584
Wireless Security Profiles	585
Before You Change the SSID, WEP, and WPA Settings	587
Configure and Enable Wireless Profiles	588
Restrict Wireless Access by MAC Address	593
View the Access Point Status and Connected Clients for a Wireless Profile	595
Configure a Wireless Distribution System	596
Configure Advanced Radio Settings	598
Configure WMM QoS Priority Settings	600
Test Basic Wireless Connectivity	602
For More Information About Wireless Configurations	602
C. 3G/4G Dongles for the UTM9S and UTM25S	603
3G/4G Dongle Configuration Tasks	603
Manually Configure the USB Internet Connection	604
Configure the 3G/4G Settings	608
Configure the WAN Mode	610
Overview of the WAN Modes	611
Configure Network Address Translation	612
Configure Classical Routing	613
Configure Load Balancing and Optional Protocol Binding	614
Configure Dynamic DNS	618
Additional WAN-Related Configuration Tasks	621
D. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only)	622
What to Consider Before You Begin	622
Plan Your Network and Network Management and Set Up Accounts	622
Cabling and Computer Hardware Requirements	624
Computer Network Configuration Requirements	624
Internet Configuration Requirements	624
Overview of the Planning Process	626
Inbound Traffic	627
Inbound Traffic to a Single WAN Port System	628
Inbound Traffic to a Dual WAN Port System	628
Virtual Private Networks	629
VPN Road Warrior (Client-to-Gateway)	630
VPN Gateway-to-Gateway	633
VPN Telecommuter (Client-to-Gateway through a NAT Router)	635
E. ReadyNAS Integration	638
Supported ReadyNAS Models	638
Install the UTM Add-On on the ReadyNAS	639
Connect to the ReadyNAS on the UTM	641
F. Two-Factor Authentication	644
Why Do I Need Two-Factor Authentication?	644
What Are the Benefits of Two-Factor Authentication?	644
What Is Two-Factor Authentication?	645
NETGEAR Two-Factor Authentication Solutions	645
G. System Logs and Error Messages	648
System Log Messages	649
System Startup	649
Reboot	649
NTP	650
Login/Logout	650
Firewall Restart	651
IPSec Restart	651
WAN Status	651
Traffic Metering Logs	655
Unicast, Multicast, and Broadcast Logs	655
Invalid Packet Logging	656
Service Logs	658
Content-Filtering and Security Logs	658
Web Filtering and Content-Filtering Logs	659
Spam Logs	660
Traffic Logs	661
Malware Logs	661
Email Filter Logs	661
IPS Logs	662
Anomaly Behavior Logs	662
Application Logs	663
Routing Logs	663
LAN-to-WAN Logs	663
LAN-to-DMZ Logs	664
DMZ-to-WAN Logs	664
WAN-to-LAN Logs	664
DMZ-to-LAN Logs	665
WAN-to-DMZ Logs	665
H. Default Settings and Technical Specifications	666
Default Settings	666
Physical and Technical Specifications	673
I. Notification of Compliance (Wired)	677
J. Notification of Compliance (Wireless)	681

Match case Limit results 1 per page

Content Filtering and Optimizing Scans

229

ProSecure Unified Threat Management (UTM) Appliance

During SSL authentication, the HTTPS client authenticates three items:

•

Is the SSL certificate trusted?

•

Has the SSL certificate expired?

•

Does the name on the SSL certificate match that of the website?

If one of these items is not authenticated, a security alert message displays in the browser

window:

Figure 124.

However, even when a certificate is trusted or still valid, or when the name of a certificate

does match the name of the website, a security alert message still displays when a user who

is connected to the UTM visits an HTTPS site. The appearance of this security alert message

is expected behavior because the HTTPS client receives a certificate from the UTM instead

of directly from the HTTPS server. If you want to prevent this security alert message from

displaying, install a root certificate on the client computer. The root certificate can be

downloaded from the UTM’s Manager Login screen (see

Figure 20

on page 43).

If client authentication is required, the UTM might not be able to scan the HTTPS traffic

because of the nature of SSL. SSL has two parts—client and server authentication. HTTPS

server authentication occurs with every HTTPS request, but HTTPS client authentication is

not mandatory, and rarely occurs. Therefore it is of less importance whether the HTTPS

request comes from the UTM or from the real HTTPS client.

However, certain HTTPS servers do require HTTPS client certificate authentication for every

HTTPS request. Because of the design of SSL, the HTTPS client needs to present its own

certificate in this situation rather than using the one from the UTM, preventing the UTM from

scanning the HTTPS traffic. For information about certificates, see

Manage SSL Certificates

for HTTPS Scanning

on page 231.

You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning. For more

information, see

Specify Trusted Hosts for HTTPS Scanning

on page 235.