| Section |
Page |
| ProSecure Unified Threat Management (UTM) Appliance |
1 |
| Contents |
4 |
| 1. Introduction |
13 |
| What Is the ProSecure Unified Threat Management (UTM) Appliance? |
13 |
| Key Features and Capabilities |
14 |
| Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing |
15 |
| Wireless Features |
15 |
| DSL Features |
15 |
| Advanced VPN Support for Both IPSec and SSL |
16 |
| A Powerful, True Firewall |
16 |
| Stream Scanning for Content Filtering |
16 |
| Security Features |
17 |
| Autosensing Ethernet Connections with Auto Uplink |
17 |
| Extensive Protocol Support |
18 |
| Easy Installation and Management |
18 |
| Maintenance and Support |
19 |
| Model Comparison |
19 |
| Service Registration Card with License Keys |
20 |
| Package Contents |
21 |
| Hardware Features |
22 |
| Front Panel UTM5 and UTM10 |
22 |
| Front Panel UTM25 |
23 |
| Front Panel UTM50 |
24 |
| Front Panel UTM150 |
24 |
| Front Panel UTM9S and Modules |
25 |
| LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 |
27 |
| LED Descriptions, UTM9S and Modules |
28 |
| Rear Panel UTM5, UTM10, and UTM25 |
30 |
| Rear Panel UTM50 and UTM150 |
31 |
| Rear Panel UTM9S |
31 |
| Bottom Panels with Product Labels |
32 |
| Choose a Location for the UTM |
35 |
| Use the Rack-Mounting Kit |
36 |
| 2. Using the Setup Wizard to Provision the UTM in Your Network |
37 |
| Steps for Initial Connection |
37 |
| Qualified Web Browsers |
38 |
| Requirements for Entering IP Addresses |
38 |
| Log In to the UTM |
38 |
| Web Management Interface Menu Layout |
40 |
| Use the Setup Wizard to Perform the Initial Configuration |
42 |
| Setup Wizard Step 1 of 10: LAN Settings |
43 |
| Setup Wizard Step 2 of 10: WAN Settings |
46 |
| Setup Wizard Step 3 of 10: System Date and Time |
49 |
| Setup Wizard Step 4 of 10: Services |
51 |
| Setup Wizard Step 5 of 10: Email Security |
53 |
| Setup Wizard Step 6 of 10: Web Security |
55 |
| Setup Wizard Step 7 of 10: Web Categories to Be Blocked |
57 |
| Setup Wizard Step 8 of 10: Email Notification |
59 |
| Setup Wizard Step 9 of 10: Signatures & Engine |
60 |
| Setup Wizard Step 10 of 10: Saving the Configuration |
61 |
| Verify Correct Installation |
61 |
| Test Connectivity |
62 |
| Test HTTP Scanning |
62 |
| Register the UTM with NETGEAR |
62 |
| Electronic Licensing |
64 |
| What to Do Next |
64 |
| 3. Manually Configuring Internet and WAN Settings |
66 |
| Internet and WAN Configuration Tasks |
67 |
| Automatically Detecting and Connecting the Internet Connections |
67 |
| Set the UTM’s MAC Address |
71 |
| Manually Configure the Internet Connection |
71 |
| Configure the WAN Mode |
75 |
| Configure Network Address Translation (All Models) |
77 |
| Configure Classical Routing (All Models) |
77 |
| Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models) |
78 |
| Configure Load Balancing and Optional Protocol Binding |
81 |
| Configure Secondary WAN Addresses |
85 |
| Configure Dynamic DNS |
87 |
| Configure Advanced WAN Options |
90 |
| Additional WAN-Related Configuration Tasks |
92 |
| 4. LAN Configuration |
93 |
| Manage Virtual LANs and DHCP Options |
93 |
| Port-Based VLANs |
94 |
| Assign and Manage VLAN Profiles |
95 |
| VLAN DHCP Options |
96 |
| Configure a VLAN Profile |
98 |
| Configure VLAN MAC Addresses and Advanced LAN Settings |
103 |
| Configure Multihome LAN IPs on the Default VLAN |
104 |
| Manage Groups and Hosts (LAN Groups) |
106 |
| Manage the Network Database |
107 |
| Change Group Names in the Network Database |
110 |
| Set Up Address Reservation |
111 |
| Configure and Enable the DMZ Port |
112 |
| Manage Routing |
115 |
| Configure Static Routes |
116 |
| Configure Routing Information Protocol |
118 |
| Static Route Example |
120 |
| 5. Firewall Protection |
121 |
| About Firewall Protection |
121 |
| Administrator Tips |
122 |
| Use Rules to Block or Allow Specific Kinds of Traffic |
122 |
| Service-Based Rules |
123 |
| Order of Precedence for Rules |
130 |
| Set LAN WAN Rules |
130 |
| Set DMZ WAN Rules |
133 |
| Set LAN DMZ Rules |
136 |
| Inbound Rule Examples |
139 |
| Outbound Rule Example |
143 |
| Configure Other Firewall Features |
144 |
| VLAN Rules |
144 |
| Attack Checks, VPN Pass-through, and Multicast Pass-through |
146 |
| Set Session Limits |
150 |
| Manage the Application Level Gateway for SIP Sessions |
151 |
| Create Services, QoS Profiles, and Bandwidth Profiles |
152 |
| Add Customized Services |
152 |
| Create Service Groups |
154 |
| Create IP Groups |
156 |
| Create Quality of Service Profiles |
158 |
| Create Bandwidth Profiles |
160 |
| Set a Schedule to Block or Allow Specific Traffic |
163 |
| Enable Source MAC Filtering |
164 |
| Set Up IP/MAC Bindings |
166 |
| Configure Port Triggering |
168 |
| Configure Universal Plug and Play |
171 |
| Use the Intrusion Prevention System |
172 |
| 6. Content Filtering and Optimizing Scans |
175 |
| About Content Filtering and Scans |
175 |
| Default Email and Web Scan Settings |
176 |
| Configure Email Protection |
178 |
| Customize Email Protocol Scan Settings |
178 |
| Customize Email Antivirus and Notification Settings |
179 |
| Email Content Filtering |
183 |
| Protect Against Email Spam |
186 |
| Configure Web and Services Protection |
194 |
| Customize Web Protocol Scan Settings and Services (Web Applications) |
194 |
| Configure Web Malware Scans |
197 |
| Configure Web Content Filtering |
199 |
| Configure Web URL Filtering |
206 |
| HTTPS Scan Settings |
209 |
| Manage Digital Certificates for HTTPS Scans |
213 |
| Specify Trusted Hosts |
218 |
| Configure FTP Scans |
219 |
| Set Web Access Exception Rules |
221 |
| Create Custom Groups for Web Access Exceptions |
228 |
| Create Custom Categories for Web Access Exceptions |
231 |
| Set Scanning Exclusions |
235 |
| 7. Virtual Private Networking Using IPSec Connections |
237 |
| Considerations for Dual WAN Port Systems (Multiple WAN Port Models Only) |
237 |
| Use the IPSec VPN Wizard for Client and Gateway Configurations |
239 |
| Create Gateway-to-Gateway VPN Tunnels with the Wizard |
239 |
| Create a Client-to-Gateway VPN Tunnel |
243 |
| Test the Connection and View Connection and Status Information |
258 |
| Test the NETGEAR VPN Client Connection |
258 |
| NETGEAR VPN Client Status and Log Information |
260 |
| View the UTM IPSec VPN Connection Status |
260 |
| View the UTM IPSec VPN Log |
261 |
| Manage IPSec VPN Policies |
262 |
| Manage IKE Policies |
262 |
| Manage VPN Policies |
269 |
| Configure Extended Authentication (XAUTH) |
277 |
| Configure XAUTH for VPN Clients |
277 |
| User Database Configuration |
278 |
| RADIUS Client Configuration |
279 |
| Assign IP Addresses to Remote Users (Mode Config) |
281 |
| Mode Config Operation |
281 |
| Configure Mode Config Operation on the UTM |
281 |
| Configure the ProSafe VPN Client for Mode Config Operation |
288 |
| Test the Mode Config Connection |
295 |
| Modify or Delete a Mode Config Record |
296 |
| Configure Keep-Alives and Dead Peer Detection |
297 |
| Configure Keep-Alives |
297 |
| Configure Dead Peer Detection |
298 |
| Configure NetBIOS Bridging with IPSec VPN |
299 |
| Configure the PPTP Server (UTM9S Only) |
300 |
| View the Active PPTP Users |
302 |
| Configure the L2TP Server (UTM9S Only) |
303 |
| View the Active L2TP Users |
304 |
| 8. Virtual Private Networking Using SSL Connections |
306 |
| SSL VPN Portal Options |
306 |
| Use the SSL VPN Wizard for Client Configurations |
307 |
| SSL VPN Wizard Step 1 of 6 (Portal Settings) |
308 |
| SSL VPN Wizard Step 2 of 6 (Domain Settings) |
310 |
| SSL VPN Wizard Step 3 of 6 (User Settings) |
314 |
| SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes) |
316 |
| SSL VPN Wizard Step 5 of 6 (Port Forwarding) |
317 |
| SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) |
319 |
| Access the New SSL Portal Login Screen |
320 |
| View the UTM SSL VPN Connection Status |
322 |
| View the UTM SSL VPN Log |
322 |
| Manually Configure and Edit SSL Connections |
323 |
| Create the Portal Layout |
324 |
| Configure Domains, Groups, and Users |
328 |
| Configure Applications for Port Forwarding |
328 |
| Configure the SSL VPN Client |
331 |
| Use Network Resource Objects to Simplify Policies |
334 |
| Configure User, Group, and Global Policies |
336 |
| 9. Managing Users, Authentication, and VPN Certificates |
343 |
| Authentication Process and Options |
343 |
| Configure Authentication Domains, Groups, and Users |
345 |
| Login Portals |
345 |
| Active Directories and LDAP Configurations |
349 |
| Configure Domains |
353 |
| Configure Groups |
359 |
| Configure User Accounts |
362 |
| Set User Login Policies |
365 |
| Change Passwords and Other User Settings |
369 |
| DC Agent |
370 |
| Configure RADIUS VLANs |
376 |
| Configure Global User Settings |
377 |
| View and Log Out Active Users |
378 |
| Manage Digital Certificates for VPN Connections |
381 |
| VPN Certificates Screen |
382 |
| Manage CA Certificates |
382 |
| Manage Self-Signed Certificates |
384 |
| Manage the Certificate Revocation List |
388 |
| 10. Network and System Management |
389 |
| Performance Management |
389 |
| Bandwidth Capacity |
389 |
| Features That Reduce Traffic |
390 |
| Features That Increase Traffic |
393 |
| Use QoS and Bandwidth Assignments to Shift the Traffic Mix |
396 |
| Monitoring Tools for Traffic Management |
396 |
| System Management |
397 |
| Change Passwords and Administrator and Guest Settings |
397 |
| Configure Remote Management Access |
399 |
| Use a Simple Network Management Protocol Manager |
401 |
| Manage the Configuration File |
403 |
| Update the Firmware |
405 |
| Update the Scan Signatures and Scan Engine Firmware |
410 |
| Configure Date and Time Service |
412 |
| Connect to a ReadyNAS and Configure Quarantine Settings (UTM9S Only) |
414 |
| Log Storage |
414 |
| Connect to a ReadyNAS |
415 |
| Configure the Quarantine Settings |
416 |
| 11. Monitoring System Access and Performance |
418 |
| Enable the WAN Traffic Meter |
419 |
| Configure Logging, Alerts, and Event Notifications |
422 |
| Configure the Email Notification Server |
422 |
| Configure and Activate System, Email, and Syslog Logs |
423 |
| How to Send Syslogs over a VPN Tunnel between Sites |
427 |
| Configure and Activate Update Failure and Attack Alerts |
429 |
| Configure and Activate Firewall Logs |
432 |
| Monitor Real-Time Traffic, Security, and Statistics |
433 |
| View Status Screens |
439 |
| View the System Status |
439 |
| View the Active VPN Users |
451 |
| View the VPN Tunnel Connection Status |
452 |
| View the PPTP and L2TP Server Status (UTM9S Only) |
453 |
| View the Port Triggering Status |
454 |
| View the WAN Ports Status |
456 |
| View Attached Devices and the DHCP Log |
457 |
| Query the Logs |
460 |
| Query and Download Logs |
461 |
| Example: Use the Logs to Identify Infected Clients |
466 |
| Log Management |
466 |
| Query the Quarantine Logs (UTM9S Only) |
467 |
| Query the Quarantined Logs |
467 |
| View and Manage the Quarantined Spam Table |
470 |
| View and Manage the Quarantined Infected Files Table |
471 |
| Spam Reports for End Users |
472 |
| View, Schedule, and Generate Reports |
473 |
| Report Filtering Options |
474 |
| Use Report Templates and View Reports Onscreen |
476 |
| Schedule, Email, and Manage Reports |
480 |
| Use Diagnostics Utilities |
482 |
| Use the Network Diagnostic Tools (All UTM Models Except the UTM9S) |
483 |
| Use the Network Diagnostic Tools (UTM9S) |
484 |
| Use the Real-Time Traffic Diagnostics Tool (All UTM Models Except the UTM9S) |
486 |
| Use the Real-Time Traffic Diagnostics Tool (UTM9S) |
487 |
| Gather Important Log Information and Generate a Network Statistics Report (All Models) |
488 |
| 12. Troubleshooting and Using Online Support |
491 |
| Basic Functioning |
492 |
| Power LED Not On |
492 |
| Test LED Never Turns Off |
492 |
| LAN or WAN Port LEDs Not On |
493 |
| Troubleshoot the Web Management Interface |
493 |
| When You Enter a URL or IP Address, a Time-Out Error Occurs |
494 |
| Troubleshoot the ISP Connection |
494 |
| Troubleshoot a TCP/IP Network Using a Ping Utility |
496 |
| Test the LAN Path to Your UTM |
496 |
| Test the Path from Your PC to a Remote Device |
497 |
| Restore the Default Configuration and Password |
498 |
| Problems with Date and Time |
499 |
| Use Online Support |
499 |
| Enable Remote Troubleshooting |
499 |
| Send Suspicious Files to NETGEAR for Analysis |
500 |
| Access the Knowledge Base and Documentation |
501 |
| A. xDSL Module for the UTM9S |
502 |
| xDSL Module Configuration Tasks |
502 |
| Configure the xDSL Settings |
503 |
| Automatically Detecting and Connecting the Internet Connection |
505 |
| Set the UTM’s MAC Address |
508 |
| Manually Configure the Internet Connection |
508 |
| Configure the WAN Mode |
512 |
| Configure Network Address Translation |
513 |
| Configure Classical Routing |
514 |
| Configure Auto-Rollover Mode and the Failure Detection Method |
514 |
| Configure Load Balancing and Optional Protocol Binding |
517 |
| Configure Secondary WAN Addresses |
521 |
| Configure Dynamic DNS |
523 |
| Configure Advanced WAN Options |
526 |
| Additional WAN-Related Configuration Tasks |
528 |
| B. Wireless Module for the UTM9S |
529 |
| Overview of the Wireless Module |
529 |
| Configuration Order |
530 |
| Wireless Equipment Placement and Range Guidelines |
530 |
| Configure the Basic Radio Settings |
531 |
| Operating Frequency (Channel) Guidelines |
534 |
| Wireless Data Security Options |
534 |
| Wireless Security Profile |
536 |
| Before You Change the SSID, WEP, and WPA Settings |
537 |
| Configure and Enable Wireless Security Profiles |
538 |
| Configure the Access Point |
542 |
| Restrict Wireless Access by MAC Address |
545 |
| View the Access Point Status and Connected Clients |
546 |
| Configure a Wireless Distribution System |
548 |
| Configure Advanced Radio Settings |
549 |
| Configure Advanced Profile and WMM QoS Priority Settings |
551 |
| Advanced Profile Settings |
551 |
| WMM QoS Priority Settings |
553 |
| Test Basic Wireless Connectivity |
554 |
| C. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) |
556 |
| What to Consider Before You Begin |
556 |
| Cabling and Computer Hardware Requirements |
557 |
| Computer Network Configuration Requirements |
558 |
| Internet Configuration Requirements |
558 |
| Overview of the Planning Process |
560 |
| Inbound Traffic |
561 |
| Inbound Traffic to a Single WAN Port System |
562 |
| Inbound Traffic to a Dual WAN Port System |
562 |
| Virtual Private Networks |
563 |
| VPN Road Warrior (Client-to-Gateway) |
564 |
| VPN Gateway-to-Gateway |
567 |
| VPN Telecommuter (Client-to-Gateway through a NAT Router) |
569 |
| D. ReadyNAS Integration |
572 |
| Supported ReadyNAS Models |
572 |
| Install the UTM9S Add-On on the ReadyNAS |
573 |
| Connect to the ReadyNAS on the UTM9S |
575 |
| E. Two-Factor Authentication |
578 |
| Why Do I Need Two-Factor Authentication? |
578 |
| What Are the Benefits of Two-Factor Authentication? |
578 |
| What Is Two-Factor Authentication? |
579 |
| NETGEAR Two-Factor Authentication Solutions |
579 |
| F. System Logs and Error Messages |
582 |
| System Log Messages |
583 |
| System Startup |
583 |
| Reboot |
583 |
| Service Logs |
583 |
| NTP |
584 |
| Login/Logout |
584 |
| Firewall Restart |
585 |
| IPSec Restart |
585 |
| WAN Status |
585 |
| Traffic Metering Logs |
589 |
| Unicast, Multicast, and Broadcast Logs |
589 |
| Invalid Packet Logging |
590 |
| Content-Filtering and Security Logs |
592 |
| Web Filtering and Content-Filtering Logs |
592 |
| Spam Logs |
594 |
| Traffic Logs |
595 |
| Virus Logs |
595 |
| Email Filter Logs |
595 |
| IPS Logs |
596 |
| Port Scan Logs |
596 |
| Application Logs |
596 |
| Routing Logs |
597 |
| LAN-to-WAN Logs |
597 |
| LAN-to-DMZ Logs |
597 |
| DMZ-to-WAN Logs |
597 |
| WAN-to-LAN Logs |
598 |
| DMZ-to-LAN Logs |
598 |
| WAN-to-DMZ Logs |
598 |
| G. Default Settings and Technical Specifications |
599 |
| Default Settings |
599 |
| Physical and Technical Specifications |
601 |
| H. Notification of Compliance (Wired) |
605 |
| I. Notification of Compliance (Wireless) |
609 |
1
367
368
369
370
371
372
373
374
375
376
377
